quasar | hxxps://buzzheavier[.]com/ctdrpftdijys

Analysis

max time kernel
324s
max time network
324s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-11-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://buzzheavier.com/ctdrpftdijys

Score

10^/10

quasar office04 sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

14.243.221.170:2654

Mutex

a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd

Attributes

encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00280000000451c4-397.dat	family_quasar
behavioral1/memory/4768-399-0x0000000000ED0000-0x00000000011F4000-memory.dmp	family_quasar
behavioral1/files/0x0003000000000367-425.dat	family_quasar
behavioral1/memory/4580-427-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

Processes:

SGVP%20Client%20Users.exeRegistry.exeRuntime Broker.exe

pid	Process
4768	SGVP%20Client%20Users.exe
4580	Registry.exe
3136	Runtime Broker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
83	raw.githubusercontent.com
85	raw.githubusercontent.com
104	raw.githubusercontent.com
105	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\983a7db5-ccb2-4b99-9bee-3b4cf04e6075.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241128004856.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
2460	schtasks.exe
4072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell_ise.exetaskmgr.exe

pid	Process
4260	msedge.exe
4260	msedge.exe
1084	msedge.exe
1084	msedge.exe
1524	identity_helper.exe
1524	identity_helper.exe
3148	msedge.exe
3148	msedge.exe
3216	powershell_ise.exe
3216	powershell_ise.exe
3216	powershell_ise.exe
3216	powershell_ise.exe
3216	powershell_ise.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
2060	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid	Process
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell_ise.exeSGVP%20Client%20Users.exetaskmgr.exeRegistry.exeRuntime Broker.exe

description	pid	Process
Token: SeDebugPrivilege	3216	powershell_ise.exe
Token: SeDebugPrivilege	4768	SGVP%20Client%20Users.exe
Token: SeDebugPrivilege	2060	taskmgr.exe
Token: SeSystemProfilePrivilege	2060	taskmgr.exe
Token: SeCreateGlobalPrivilege	2060	taskmgr.exe
Token: SeDebugPrivilege	4580	Registry.exe
Token: SeDebugPrivilege	3136	Runtime Broker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	Process
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	Process
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe
2060	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1084 wrote to memory of 3996	1084	msedge.exe	80
PID 1084 wrote to memory of 3996	1084	msedge.exe	80
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 3460	1084	msedge.exe	81
PID 1084 wrote to memory of 4260	1084	msedge.exe	82
PID 1084 wrote to memory of 4260	1084	msedge.exe	82
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83
PID 1084 wrote to memory of 3252	1084	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://buzzheavier.com/ctdrpftdijys
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb3c0c46f8,0x7ffb3c0c4708,0x7ffb3c0c4718
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4180
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff629775460,0x7ff629775470,0x7ff629775480
    3⤵
    PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,8429946889847764604,595529399470659397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Downloads\take2.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216
- C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe
  "C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe
  "C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2460
- - C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4072

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5fffb9ed7c2c7454da60348607ac641

SHA1
8d1e01517d1f0532f0871025a38d78f4520b8ebc

SHA256
c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73

SHA512
9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32d05d01d96358f7d334df6dab8b12ed

SHA1
7b371e4797603b195a34721bb21f0e7f1e2929da

SHA256
287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e

SHA512
e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
891278e89717a42d44c0d40a29acf896

SHA1
fcbf1bc7e56f0d3822f1274025051867b026d61e

SHA256
e1049df58ddcae5aae9a5056cad93ca1b8bdbd9a5c8d4898a6f299b1e8cba263

SHA512
0634af67ec7941cdd989245a126ddad6ab6de4c4cb62f02e1e1dba014f7958604b41974294aaa37784fe6c5498b9611da80202c77d32bf02a0ff3e9459dfad34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
7c885ca14afe0b42ebc3c8d0f824cc1b

SHA1
10a8b7536ea361a7f4caafef4769492d09cdea7a

SHA256
3c60ba79f50512b2c64c6a6a21f3ec346c07a46b8e3efceb5dd954ef2bed0532

SHA512
c1b7b8a41a34fa590edb2e53db53b2e2e8db6efdb0027d1ce28a25860b1b40f29efc5e578b3b807978193595fc1441b6217b40b1b33799d144231a3c50a0517f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
853B

MD5
3259d59a5c53bfd6c34c02ccbaec2017

SHA1
526484d8add84799a6305547e473e747d035bedd

SHA256
32d04218db945462916970a6bd1578f0e4ff0a8a2e1a1e469b4f12c324a2f2a8

SHA512
d70d1a8614ed9ec392659c91c7d8edade73c32576b827eac3284e46630d67b16198386b8a74798ad335ac0788dbbc422c20e3ec9fb34da3b92b125993540f756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a420e9de7fdfdc2c958c47cb00ce0b8

SHA1
c3cf1e6dac62df0d905c9f8dc967925cb12731e7

SHA256
604f687b527a5bc1741934db0601da6837e82984c0590cc538da1c0573580ed9

SHA512
c64223bc6681e77e9f6dba4f2152360e93a6ff0acf3316061abca7f8f1dec8a4ebb0c18bbe06aa4b0278c93acc9f4fa43eeb60c39eaedaa39afe45a74fcde030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7fca25b89cb4355d273fb7764ef297f2

SHA1
6c72816387564166fccbbf3c407bcbad3376647f

SHA256
08d4688b65692eb204b72eccb8a22b1193f4da46e738378e8093af8a16744882

SHA512
b16e1c23089b4b8987c324d3c27da52e6526e6185b297e0adabcbfff509f3100fcff059ee7028444e74256975e5feba25846f76ed427a37af6722e627c05b0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ee8c0727c6c6569d2e85f284a1590e8

SHA1
3bad925abe77d8a131efad19119b8b52d32e8c57

SHA256
fae62aec6610b5c8b9d6b9a35dbcab89451db22afe4c057d0dbd1f7ca8d4b181

SHA512
99f0786f4518776623959e2e945f73daecc1b297cb6dc1ae8a23c22058fbbaf1c5f6961371911eb96fe4693f68155a8741a260535d85cb61cb8e4eec383597e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6e466bd18b7f6077ca9f1d3c125ac5c2

SHA1
32a4a64e853f294d98170b86bbace9669b58dfb8

SHA256
74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc

SHA512
9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ac2b76299740efc6ea9da792f8863779

SHA1
06ad901d98134e52218f6714075d5d76418aa7f5

SHA256
cc35a810ed39033fa4f586141116e74e066e9c0c3a8c8a862e8949e3309f9199

SHA512
eec3c24ce665f00cd28a2b60eb496a685ca0042c484c1becee89c33c6b0c93d901686dc0142d3c490d349d8b967ecbbd2f45d26c64052fb41aad349100bd8f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
41ec674d65579478322fbc3d9cb0fc55

SHA1
408fba4378215a7b92bc45a5f9808b053f40d007

SHA256
faa6e757bc001565649ae07746d0d97566aefc988f80ce8d9d8bfd6a224655d5

SHA512
0c94e2972c9fa28c69cffd8eaa9f3da9ab0ffe08060156fbe3fa57a3918aab1a36d4ddedaa594a35229d2c73003e32f101e0aaa0cd66e95a79d03a087c03bd0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cbead2dd91f946c3bf77303a66bb4e32

SHA1
b214cc7b85faa9ece6c9af869f99e298a920f67d

SHA256
4a5d56ecfd59f281f0ad8bdf12fe822daf12cf91c15ed24e7821b982aaed555f

SHA512
b82b67a82acf472d82e3038a99c690472f6952b07b84966e3c0e283a8d72ffc68f6243a415629a09ce59938504f44beb6d3d826421edaa729bda34a4f0385037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\pjocffuv.tmp

Filesize
793B

MD5
855c48511bc7984bdf802dc2dcdf782f

SHA1
212a7a63d0bc52725efddd96c17bd25d5b83ccac

SHA256
c08141cc61a1d7b7c9f6265124c3fcd66dd2592db89fafdb396c5ceac465f281

SHA512
650e7b9d54a7af87a4f66ee73b88f2cf66729761633ec8caaae6585ca85f4a5db2f72ea635cdb3f4ad562d224b086637f2f46fb5ab872d7eebd20199f3e4fa2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rfcywbzb.3op.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
b94f25ebbdcfa1246aa9a50ceab40730

SHA1
ef327d5fdafd2fb7a86e85dd03d381517ddc2570

SHA256
b45698896c011b4f4057c4d054ff40538085860aee60acc8aa34fa0e6f28ef7a

SHA512
bc7b5bf21edba3507d3cc2412738926c1c515d259b4d0dcc47235f6f9a11a8ba91c6ee9b5f5f3210af399097df97d726529384f41c2d175d3ba9da89995a838c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7feaa1e4b554b16d7927379f28423747

SHA1
f6f0f4af2058428f14f40e3cdbafec5e54fb4564

SHA256
4b271953a96c5b982aaa539604c90e0c0a58f6935f2ab0bc3944a64936cd3c75

SHA512
2a811e1982b723d4de5d2fbd11b9629bd45b1e7334eb4d1f9c5eb836119b5adf58abecc936b83058c83da2cd3e15d6a6317c1dc22d1b5430766a6def69bdd585

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 661025.crdownload

Filesize
2KB

MD5
318201fbda053334f8bc0055bf301b8c

SHA1
1779af1f3632518b814d4735f078f62f229a56a4

SHA256
b30c0044f659cf287805224f5d8078ec6893bf8aaee4d9c272f51b7c493cc06f

SHA512
bd5a71860429585f292e54749466e93e24c2c96112a2c5019a00f171e92b9f53e062d47edebd59fc85ab84d2a05e5e9484c83785cc31a8233eafac3bde77ae6c

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe

Filesize
3.1MB

MD5
6f154cc5f643cc4228adf17d1ff32d42

SHA1
10efef62da024189beb4cd451d3429439729675b

SHA256
bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff

SHA512
050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe

Filesize
3.1MB

MD5
2fcfe990de818ff742c6723b8c6e0d33

SHA1
9d42cce564dcfa27b2c99450f54ba36d4b6eecaf

SHA256
cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

SHA512
4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

Download Submit
\??\pipe\LOCAL\crashpad_1084_ZLAOMDKEXQSCYEHJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2060-409-0x000002230DE40000-0x000002230DE41000-memory.dmp

Filesize
4KB

Download
memory/2060-402-0x000002230DE40000-0x000002230DE41000-memory.dmp

Filesize
4KB

Download
memory/2060-407-0x000002230DE40000-0x000002230DE41000-memory.dmp

Filesize
4KB

Download
memory/2060-408-0x000002230DE40000-0x000002230DE41000-memory.dmp

Filesize
4KB

Download
memory/2060-406-0x000002230DE40000-0x000002230DE41000-memory.dmp

Filesize
4KB

Download
memory/2060-410-0x000002230DE40000-0x000002230DE41000-memory.dmp

Filesize
4KB

Download
memory/2060-411-0x000002230DE40000-0x000002230DE41000-memory.dmp

Filesize
4KB

Download
memory/2060-412-0x000002230DE40000-0x000002230DE41000-memory.dmp

Filesize
4KB

Download
memory/2060-400-0x000002230DE40000-0x000002230DE41000-memory.dmp

Filesize
4KB

Download
memory/2060-401-0x000002230DE40000-0x000002230DE41000-memory.dmp

Filesize
4KB

Download
memory/3136-431-0x000000001D850000-0x000000001D902000-memory.dmp

Filesize
712KB

Download
memory/3136-430-0x000000001D740000-0x000000001D790000-memory.dmp

Filesize
320KB

Download
memory/3216-370-0x000001F67F840000-0x000001F67F878000-memory.dmp

Filesize
224KB

Download
memory/3216-415-0x000001F67FD40000-0x000001F67FD7C000-memory.dmp

Filesize
240KB

Download
memory/3216-375-0x000001F666E30000-0x000001F666E38000-memory.dmp

Filesize
32KB

Download
memory/3216-391-0x000001F67FE60000-0x000001F67FED6000-memory.dmp

Filesize
472KB

Download
memory/3216-369-0x000001F666E20000-0x000001F666E2E000-memory.dmp

Filesize
56KB

Download
memory/3216-390-0x000001F67F8B0000-0x000001F67F8D6000-memory.dmp

Filesize
152KB

Download
memory/3216-389-0x000001F67F680000-0x000001F67F688000-memory.dmp

Filesize
32KB

Download
memory/3216-387-0x000001F666E50000-0x000001F666E58000-memory.dmp

Filesize
32KB

Download
memory/3216-414-0x000001F67F8E0000-0x000001F67F8F2000-memory.dmp

Filesize
72KB

Download
memory/3216-441-0x000001F67F690000-0x000001F67F698000-memory.dmp

Filesize
32KB

Download
memory/3216-418-0x000001F680060000-0x000001F6801D6000-memory.dmp

Filesize
1.5MB

Download
memory/3216-419-0x000001F6803F0000-0x000001F6805FA000-memory.dmp

Filesize
2.0MB

Download
memory/3216-368-0x000001F666E60000-0x000001F666EAA000-memory.dmp

Filesize
296KB

Download
memory/3216-367-0x000001F665110000-0x000001F665148000-memory.dmp

Filesize
224KB

Download
memory/3216-386-0x000001F666E40000-0x000001F666E48000-memory.dmp

Filesize
32KB

Download
memory/3216-385-0x000001F67F800000-0x000001F67F822000-memory.dmp

Filesize
136KB

Download
memory/4580-427-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download
memory/4768-399-0x0000000000ED0000-0x00000000011F4000-memory.dmp

Filesize
3.1MB

Download