quasar | 0717e7dba5d6758431ecfa178c4e5c850340dc2a64009572252bb1639a2be16a

Analysis

max time kernel
885s
max time network
893s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-12-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

48be60b3ee1e00cc82390f9b15a557b0
SHA1

3a85f43f73a6559d93f8510ddd322fd25ab6478f
SHA256

0717e7dba5d6758431ecfa178c4e5c850340dc2a64009572252bb1639a2be16a
SHA512

9367f3dde580ec19c8c6ef1c83bc7119160d70bca7cae04e0e2fb3242083797306ecdfbda4014782ffe04a23cdd85830fc7a49ff4eb55087e9ee1f096967a4ef
SSDEEP

49152:HvTI22SsaNYfdPBldt698dBcjHj3v7Bx4OoGdLTHHB72eh2NT:Hvs22SsaNYfdPBldt6+dBcjH7vz

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.56.1:4782

Mutex

9f808638-1d71-4cd8-bcba-dc4258c5567c

Attributes

encryption_key
50594C0487E73C95F03F5F7C150B052B4C74F9BE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/3172-1-0x00000000007A0000-0x0000000000AC4000-memory.dmp	family_quasar

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3736	msedge.exe
3736	msedge.exe
4884	msedge.exe
4884	msedge.exe
1664	identity_helper.exe
1664	identity_helper.exe
1960	msedge.exe
1960	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3172	Client-built.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	Client-built.exe
Token: SeDebugPrivilege	2464	firefox.exe
Token: SeDebugPrivilege	2464	firefox.exe
Token: SeDebugPrivilege	2464	firefox.exe
Token: SeDebugPrivilege	2464	firefox.exe
Token: SeDebugPrivilege	2464	firefox.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe
3736	msedge.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
3172	Client-built.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe
2464	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 5016	3172	Client-built.exe	77
PID 3172 wrote to memory of 5016	3172	Client-built.exe	77
PID 3736 wrote to memory of 2368	3736	msedge.exe	85
PID 3736 wrote to memory of 2368	3736	msedge.exe	85
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 5056	3736	msedge.exe	86
PID 3736 wrote to memory of 4884	3736	msedge.exe	87
PID 3736 wrote to memory of 4884	3736	msedge.exe	87
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88
PID 3736 wrote to memory of 3168	3736	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5016

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8c323cb8,0x7fff8c323cc8,0x7fff8c323cd8
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,9725777829680246151,15920033682236463479,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1848
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16499259-919b-4686-b9b0-a5b31c1f55dd} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" gpu
    3⤵
    PID:352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05115dad-f52e-45db-981d-c372c02180d2} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" socket
    3⤵
    - Checks processor information in registry
    PID:1524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 3232 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ccded4c-f504-4e64-9508-6ca4f62d5cf4} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab
    3⤵
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3368 -childID 2 -isForBrowser -prefsHandle 2548 -prefMapHandle 2748 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2618d36d-6d5d-4af4-8398-e1e2619d7a34} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab
    3⤵
    PID:1332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4536 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4440 -prefMapHandle 4432 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {138d94c5-5f49-4778-a764-87766a76deef} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" utility
    3⤵
    - Checks processor information in registry
    PID:3568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5368 -prefMapHandle 5384 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fc698fe-2f0d-4953-85e4-0d1134347816} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab
    3⤵
    PID:2284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4748c65-5e10-4123-a3f6-b67977e4af4e} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab
    3⤵
    PID:4696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5744 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dac82707-82d6-45b1-8953-3ff8f27d4c41} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab
    3⤵
    PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0bc53e0fca0efbe20179d2e2eebebae5

SHA1
1c5f4a8772c022235ab84fee58617a37b120d6d2

SHA256
ebe9d56ee43f348e0b69cf27727254f406c3efbd04dfe22c4357b44cdba14d60

SHA512
0deae37109ecd3aa199643380289410eb013d31a535fa4aa8363f2726fb61dc09f2f8d7ba68b2c5d2f8e23dc7d8ed100739d21af8a6e74e7a1383e66d30cdc29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d75c6915d40a06ef3f45be179ca79a3d

SHA1
c0c598044d623a1148de3f43c44755a0914b3c86

SHA256
1f3d7da95065173705b5aa579e2edc80fc0941e0d1830a4b642a1b7aa7c18116

SHA512
0ceebdd6ed4bc1bccd994c064716da7999e8f34693364f9290cb0ff5fd4ae29aa442e0d714192f444b11fc1d2ccf6d96f85d9557cf5a35074c1068684311927e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1cde79709a73d39723c8973c45e364e0

SHA1
0d390b93dcd67c1e3c04ed9104f439cdb23bb16c

SHA256
53d0f1a804c3235c324baf3c46af585421861b9ef02eb875d045e2151bca07f2

SHA512
69cbe9235ffe5f2c4bbce3c262f8b12bdd2411f0551d9b19a39ac92c9d764957e8cc066145f40998d3e5ca6030ffef4a973fa8fe2ed7d455a709c3950ab2d1e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b023bed52925ef2e150840065cb682a2

SHA1
40e32c371d0703a943edfb006168434abb0a7bfd

SHA256
4146d8077b30922ba9c3e0983516c4f6a1cbccd0acd6340b8898032cc4658ae3

SHA512
70ffa09daa152a432e4dc46b15cc92c07813e3bb0bd7d3112016e675c1525a2951c9febae7f53776e304dd58be452e1d42ae9c785f3108354f927abf4743e9cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
83ae21b05ba5819a42ac334b3c8d854f

SHA1
75657ee90bd8961124f842d1e687ccde8ea44cd7

SHA256
a3f71ec535c9040880c49324fb55c2bf25c35de644eba69ae548d90ca365ddc2

SHA512
e7fe7956301d7d8292ebdfc460dd8be881a974712db8333d615e9d685efda4e9e0b50dfe272d84a5661046b82f7623cba2f24209efb6a6b7b62a0ac982f2270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
74cf021e54d3cd3619c4b47dc4fc64ee

SHA1
d99f0804fcfd5746fc868e6463fa63efa04b8bcb

SHA256
21813a5b89f270e76690061e74c567ef85e2f189e940b986c90e9f11ec0f70c7

SHA512
c4774fe91b255ac2a3641b26fb9729906fb6c1a2d10e8b64b9633dc662180a235482874003a4826e3d5bac2c4abc6af6c3b3d3e78b2ea0d459055fa00ee22663

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
2e5b1079ebed32d809b3fd80d753efd8

SHA1
3e2a870755f436eeb2341405fa6b512ca6e1cf9b

SHA256
d01917e21511dd451b6d5afa316d0426c55d6632dd52f6b1adc01b83b15bfbdf

SHA512
efaeef557684abae42c6ae719d5b4376565cf258992b6eb6c0b195ddcad97cea8957cdedf9339c01daeac2e59eb8ff799091ccb3182b4b217f5ad786c62ae934

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\2c51e839-1681-4c1a-99aa-83b4ffc927d6.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\AlternateServices.bin

Filesize
8KB

MD5
1df6a391bd0e4b107c19ef0b389effea

SHA1
8ef3b08b758059cbc273125995fcab066fad9d3a

SHA256
1039cf66df877e2a892d80541e20a3a06a8d9e812fa061eb079aaf82d2ad2886

SHA512
5a5b3fc0f32c1f2145efa9ab8b3778f1b224c27281a08429abb4b743eac4debf0afdcbb6df13c7ad26dbbe828b9da8cf11ca4e440987e4fb41300660b0c8f494

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
55575fcc69f817b382516ba85235fb84

SHA1
4bc41ed926c34baea77738636209fdebbcfef640

SHA256
639303b12035094b7f7783f4f81e5e6084785ac7dfae2f9e511d1b7706f7bdb4

SHA512
99c023e46766bd660157252ab95b33b8294d1c1b39afa357ba2ef763a8c48fdc6fe56d10a909ec1077f50539b6fb811fb46076852eeb71eb2b03e8d475a8f5b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
72d66a297d5f323ba9ecf92b8051d8a7

SHA1
4c94b64d07cfbdabb3f0cc57df5ec571d3e7feff

SHA256
f9367fbc96b9472ade77ed52a3b142bffd295e029811f4c7f8957ce7a457a6ce

SHA512
31afa256415f8119d2fe897ac437775df0ed44c2c1ce66f4a473d5920fffcac529450f968bbeb09e41ddec0f123f9e8c73127b6bd9407a27945b399a8cc75a40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\0ab5d754-2e52-4d39-b35c-9528b7a3af92

Filesize
659B

MD5
572009dc141baf5b517b94d7750644cd

SHA1
e9663870e7dc0577cf136aa2c0d025658d012233

SHA256
17050ab87373e7758ef368c038c651225ddbeccfcf5cab9d8359b60f3e82d106

SHA512
1f99be51b63d85163c99c875d2dd048588ea229fae2a3695398fe3a9addb269422911439deff291b0eda6a07aaaaf94c37f2de01fa815dde5640bfa0f7ca1606

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\a57ca72c-2584-47b8-9855-c66ba311bbd6

Filesize
982B

MD5
edd3cdd64056b5012f8e000c273e4a00

SHA1
2371de51f1caca3c4d322464b0ece92a91704cf3

SHA256
e4110258272a196d1ad7433a9d9cc0a5fcfd97f97c9c82640b7fdf440474adcc

SHA512
4ecae8094cc4d452497a99fc62158871867995966b673a4c32414d7f1748eb5fe1495898019a1eb5afeaf5cfb3bcd8994fcb7c0b4e902cba3236a9b1378a72ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
10KB

MD5
79ee72ba8be3f3cc37fed6b7bf49a347

SHA1
a174f2fbbcb1ac81e6bbf949fdd98881254f6e09

SHA256
63d767c15bf76113a83546ed97960c0723f270ab38c1ecc2919142dd9774acd3

SHA512
f2ba5e716a965e15cae11f9b4145119859bf8a610b77bb4230a65fa19df055e93f5dac7210809f768915113a72868cca0286d3ab7152dfb9d2af8b1224eb0afa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
10KB

MD5
64b32874cd7d9bf9f0a4ace132685d97

SHA1
945413b5c36f99e6a3de97c237c401514c52320d

SHA256
cce619ccab2b06a24aa54a595df91747b86c89113fc562647e370b1f89c63320

SHA512
2ee3adabaaf583db7da0fbb6a23c891cda74232a2aade6a126b20f6260929bfc6b32d96cfe7b81544c09a7cfa106eac8a2ffdca7ddee3cb1147e2f8c20be4c7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
12KB

MD5
a7d29801c9a64e44592b6c1aacdbd566

SHA1
6d9469ed345a2943f6f0f3d7d0d118abaa479438

SHA256
6f071b1bc03fcf2431acbec6a354e0a584311c3f9b9006012150909441378826

SHA512
2860dd717f84a6d0b4280f79c7041fd6cb1208e715f27b78f10a65a493992d7ad45d3a819428fb25f38627929b9d58d93ebc2c625ba79e1356bbdcb68fa580c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
dc2bc16c9bac392add8b27811fe8564f

SHA1
c291cfe72dd9c5f195019e4d2b02447f5a214355

SHA256
629a7eedb0fdad04f2ef7be1a71eeb73993f67af66177a28caeb414d4f78d7ce

SHA512
cb369225caa4ee037213cd7caa5d0277fa13509f6d4dc98b82b60ec1a2c5c996521213fd4c0e6c2c77bd907d01a1b3c3197a3097da3bb6aeff2aa8a91b6f8fd2

Download Submit
memory/3172-7-0x000000001C990000-0x000000001CEB8000-memory.dmp

Filesize
5.2MB

Download
memory/3172-3-0x000000001B900000-0x000000001B950000-memory.dmp

Filesize
320KB

Download
memory/3172-2-0x00007FFF923D0000-0x00007FFF92E92000-memory.dmp

Filesize
10.8MB

Download
memory/3172-0-0x00007FFF923D3000-0x00007FFF923D5000-memory.dmp

Filesize
8KB

Download
memory/3172-4-0x000000001C050000-0x000000001C102000-memory.dmp

Filesize
712KB

Download
memory/3172-5-0x00007FFF923D3000-0x00007FFF923D5000-memory.dmp

Filesize
8KB

Download
memory/3172-1-0x00000000007A0000-0x0000000000AC4000-memory.dmp

Filesize
3.1MB

Download
memory/3172-6-0x00007FFF923D0000-0x00007FFF92E92000-memory.dmp

Filesize
10.8MB

Download