quasar | 870ffdfaec0f76ad2bac52a5c639a34813bf44c37a2c6b52ca582b7a704bbea0

Resubmissions

02-01-2025 13:29

250102-qrk14swngk 10

02-01-2025 13:05

250102-qbgnrawjgr 10

02-01-2025 12:58

250102-p7xt6ssnh1 10

Analysis

max time kernel
419s
max time network
420s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-01-2025 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

livedata.exe
Size

3.1MB
MD5

3393507c6698a8fa7552b474820fa233
SHA1

bc8e2078156b3b87341a0045eb581ac68f605767
SHA256

870ffdfaec0f76ad2bac52a5c639a34813bf44c37a2c6b52ca582b7a704bbea0
SHA512

e28f41de1271208944f86d06b265aa0ecadc899a53e41705a1f2df06b919b58d9d3d9dc227c3ccf8568e15491ca06135b26b2e9be7968b1512533b2a177998a9
SSDEEP

49152:DvOI22SsaNYfdPBldt698dBcjHjMS8mzwYoGd8JTHHB72eh2NT:Dvj22SsaNYfdPBldt6+dBcjHjMSxs

Score

10^/10

quasar office04 discovery spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

ahmettt-36012.portmap.io:36012

Mutex

b47a15cf-f43b-4ac8-b123-ef745bc58b02

Attributes

encryption_key
DFDF5CC5F6DA9099931F989981D7F56159CE6C69
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/5336-1-0x00000000008F0000-0x0000000000C14000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002ab83-7.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
5308	Client.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1996	msedge.exe
1996	msedge.exe
708	msedge.exe
708	msedge.exe
5684	identity_helper.exe
5684	identity_helper.exe
2776	msedge.exe
2776	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5336	livedata.exe
Token: SeDebugPrivilege	5308	Client.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
5308	Client.exe
5308	Client.exe
5308	Client.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
5308	Client.exe
5308	Client.exe
5308	Client.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe
708	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5336 wrote to memory of 5308	5336	livedata.exe	78
PID 5336 wrote to memory of 5308	5336	livedata.exe	78
PID 5308 wrote to memory of 708	5308	Client.exe	83
PID 5308 wrote to memory of 708	5308	Client.exe	83
PID 708 wrote to memory of 1340	708	msedge.exe	84
PID 708 wrote to memory of 1340	708	msedge.exe	84
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1536	708	msedge.exe	85
PID 708 wrote to memory of 1996	708	msedge.exe	86
PID 708 wrote to memory of 1996	708	msedge.exe	86
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88
PID 708 wrote to memory of 6020	708	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\livedata.exe
"C:\Users\Admin\AppData\Local\Temp\livedata.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5336
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pornhub.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5ebb3cb8,0x7fff5ebb3cc8,0x7fff5ebb3cd8
      4⤵
      PID:1340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
      4⤵
      PID:1536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
      4⤵
      PID:6020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      PID:788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
      4⤵
      PID:3292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      PID:3672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
      4⤵
      PID:3124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
      4⤵
      PID:3296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
      4⤵
      PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
      4⤵
      PID:3780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
      4⤵
      PID:5916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
      4⤵
      PID:5904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
      4⤵
      PID:956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
      4⤵
      PID:4236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
      4⤵
      PID:4656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
      4⤵
      PID:720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
      4⤵
      PID:4956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
      4⤵
      PID:2896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
      4⤵
      PID:5092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
      4⤵
      PID:4992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
      4⤵
      PID:2720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4824 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
      4⤵
      PID:6096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
      4⤵
      PID:5128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
      4⤵
      PID:4644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4737753831600968096,15143421278253240354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
      4⤵
      PID:5324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tadexananigötündensi̇ker.com/
    3⤵
    PID:5228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5ebb3cb8,0x7fff5ebb3cc8,0x7fff5ebb3cd8
      4⤵
      PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bacinisi̇ki̇yi̇m.com/
    3⤵
    PID:3264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5ebb3cb8,0x7fff5ebb3cc8,0x7fff5ebb3cd8
      4⤵
      PID:1012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ananinaminakoyayim.com/
    3⤵
    PID:4336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5ebb3cb8,0x7fff5ebb3cc8,0x7fff5ebb3cd8
      4⤵
      PID:2824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0f20b83f2da38bc808b323d1738fd0ce

SHA1
a66c3ad650e68e8b3b329208286fc753ce05e0cc

SHA256
233704d18a29e315ed7259e20c47edc08f2a08a2defd0cadc996cec99af9b016

SHA512
f75f9d88bc5b8e70cea770f32c6e7440bbbba4b2ec531e3d7f4e4b2edcd8a9b7080ea09fa0000c4ec1b8f624d4c05df3600b0fac93b6522ce821871c6150b5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
2f13a2b83e4f4c57b52bfbe9e95dda33

SHA1
eea48a73637171fcd4caa4ad57b02061332b4d35

SHA256
b685363771e585a764c17ac486cef3a8c442052129748b705403a94db5aa698f

SHA512
7b9a77e53904f2324e1c052035b301aca4a2927925bae1a57d9caeb60e0f383d0e74663b204d2f9799b4fec371b5e21674a7275048f46480f08aef957259bad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fef2b3101a787b9c9f27defb3628fc1e

SHA1
95890d2a2f613a27b601e4f169a4a19d51b0bd4b

SHA256
5cdc38fe010e9cb6243bf61d14d6469f6fe38e0a3f2daf3784fb6057fc62a8bf

SHA512
93cdda3bb3a9aaf3feef5a928c64e6dd4349d74a0d814dd548c41d7a1daa7f00b5bdfd7a3a3f39f5b0b28085aa23433e7cca4af20ce511d4ec19df28dc315d35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d62767b75242a9e5ef56b6771f6c49d1

SHA1
a159271d85792826653026a093924011f7884afd

SHA256
7193a650ce31c099d865f48946015a0b0d8fca884552262ce2e91ad6fd366a43

SHA512
9bc1e0d32ca2addcc5b4d5e8bd774234222cecd6c7e128c4c5602c7f058622fba74ce754877cc81b62dbdc70ff5e86ed0f424b5adef365f1c7a9b404bc68d565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6a9168c28d92d5a1435798b430d470a

SHA1
0a6265c4a181ca7a3a4a31c4c4cfdf82b364d984

SHA256
e2878f2e6b6e1894340807eb1e5137a6ba2e1d2660b2db1a147ef66ecfd7f3ea

SHA512
00763a3e08398d1261e19a6633bb74d947f80e532be315fadf2e07c6f659339d1e5a04130eee2de6183deab95ecbe615b603a1978ce72a906068c1cae5c369e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8e93c1dc71fed0f6c0d8a0867a3d776

SHA1
6da16d2d2e81ffcfc34a16ef0f89d5eaf29607c2

SHA256
bef3fbf3b949a38f4de21a8a534104ec132ba235581e60d717d1302ce65fcaef

SHA512
79d7d1405a40353f65ef788e2739346c430f6d80250d15b3ffc7df2ebf4cde4fdb75aab8eca05cf1a09ff7393b8a1e28cf7b8dc508265de1f1c2bc00d7b6a0ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3604d63071482afb0bc0586876191a22

SHA1
0451b2eea16c18147d7a22dcf97de6ba81861fd2

SHA256
fa1522d4829b57af5e8983bd364f0eee66c08f858df9230e528c10fedf78b69b

SHA512
aec1484b8739a770792f6331ddf39f5a65ed4875582d6838edec433c6c1bdbfac2374447b9b8e00c80afd24adf344953f81b358c2be826e77ce36a0ac89ee638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f9c5bbea28ef5db9b55010f4f75f4495

SHA1
521c9621f3b48d085e6e874e7d30cbea9d7a44cc

SHA256
1818f82d2038dcf68af9b011a8a4a12f8bee0554c62eeb92c9d9e8483a02fbc4

SHA512
2aecb21c360fa7ae01022ff211ee39aa5bbde9f560cabd6ada654fc32b5b77d2cdc48ac60936aa2dc79430496f2ee62a16fb11d5286737ec06738d57140bb112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ce128993689b4d7d07d01b318b770460

SHA1
d6a51399966209da30721dbdd9580458b6125e01

SHA256
bf0140f13affd398d6d921c0b5b028edda312d37154a91542dba7c94afdd20d4

SHA512
d684c92f5e4feb989258d5884b1745e240ac8ab0b48c8e568bc009f588dfa5155c3da4c10441413be6d63bb42c983d65520bb427d38cb1bae4e04f57bbe65839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f9e68c1641d7efe1a79b0993a920c865

SHA1
ab4911ae082c3fe0b8c447086aee9c1814df5710

SHA256
5abbbac092b56dc4f20e2d8c725447edc2f4f188b3853ef5df18bc77325a47d4

SHA512
60085dc8843af20e22a774d10c9581199e80d54d217842d3096ffe3efd2e2a6f67399bf8f32827227a18083371a1356a5e808321513b77107455b957c3a643f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c29a8.TMP

Filesize
48B

MD5
926f5c093fef846e1263eb4ff1dcff4f

SHA1
0f4bb6c08f30cab4d570bc06d02e9804d17c487c

SHA256
3428c7ea39d09ee31c0509a267b50fd81b1f2936e97bb2271fc4c5f92d401f05

SHA512
3586fe086d3377fb1dc121270aa8fc7f4160c2a7566cd9d0cd66d806572b7eb02f988de4af5639d426958ab65251bc4a4333a2baa0371473efbb79e5ff38b625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
b20311ba1647368ba59e8f7fa6efebf5

SHA1
4b55ab587c4479cc068010064cdedc9941a54385

SHA256
9e5ac9f2486d39c1ba88fb1b4f4939a2524ec27fa56ab16a8df4f63a5f140f2f

SHA512
2f7c0dea42fcf4905d2d3398f1e47b6961956d78881fe0338480362934cb22cc91df8af273c9f0c4b95988f89f6ecd4862087e3a591b31f67f8c198dc8fc11fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
9f54b7c67437e9ef4283fc32a0d54fe8

SHA1
bc3bbbcf82508b344e4221050dbb5ff0d15b0144

SHA256
b5f01163d53c008a76011d703a69e4037f97b966c80eb5e9e0bc9fb5464ac500

SHA512
01151cfab20e74dac8e82375892e6ad55395898e2d7fef2e161f5e115bc9c30e35f532371ee67635bdd655025b2c42cbbbf5bfb593c5bf180a3f4c6d264df19f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5cc5c8.TMP

Filesize
537B

MD5
5d272cd8fb76c0ad6ba3341d0395e7a0

SHA1
1a9a940786dbeac26fa8707df819f26650316539

SHA256
04641fbb202ebd2803bb8ad747e3d8d0c6592c9d36295569b47d24f091e03f2a

SHA512
a6923cc096a8323f43769a42c460b97c0d0b3fb0de198e7ca0f336835899399e5c9205608a8d59475d633da1859d7d927de9b3576ced2e77ac5e47f16e71a65a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4c90ca38ef9ddfa4d9ffb7539a2cea90

SHA1
e68aaad79f3a544aa26f19aa3a90bde8e1a6e413

SHA256
a6486bd06753ad60402e58acaffb43d0e23b961ffd934035f6db6fad22b88f9b

SHA512
1c5ebc52d8fbd05cf7391dad359a9e9d29c832474a5336b6c1b14dd608a74bfbefe6554d84c3bb046a546f11f35792fe2cc84dc036df7bdda713386a4e9f266e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7fd74f5c272269a78906c5c345615504

SHA1
0334114ff5c8a1e900d4eda7e7d8d0026b50bd3d

SHA256
0265335aa6fa9543d2eaf69fb8fa03852930197b438844a46f88827906605d63

SHA512
c828d81703f66d3655653840255fcadbddbc20ea0706d03bbe8e88b2c664a39107ec5abfae686a18422cfca3f20e9319f57f496ca2fefd79bf94809234001239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5e4c244dacc1012a7cefc0aba1417495

SHA1
0db1a36ca6802bc86b1b13ef5bf9567380872f71

SHA256
f220b03b6a4975e43625827d42682efd827fdc5715c9e0dcac8a33f54f918f09

SHA512
b7b161c91078ea36fb279b2f22746399cedf657141310b2eb204a69fa33b350cd634dd42fab1944503a27d807bb6dc609afc702251fb34276172331a6273dd1b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
3393507c6698a8fa7552b474820fa233

SHA1
bc8e2078156b3b87341a0045eb581ac68f605767

SHA256
870ffdfaec0f76ad2bac52a5c639a34813bf44c37a2c6b52ca582b7a704bbea0

SHA512
e28f41de1271208944f86d06b265aa0ecadc899a53e41705a1f2df06b919b58d9d3d9dc227c3ccf8568e15491ca06135b26b2e9be7968b1512533b2a177998a9

Download Submit
memory/5308-11-0x000000001BDB0000-0x000000001BE00000-memory.dmp

Filesize
320KB

Download
memory/5308-16-0x000000001BE20000-0x000000001BE32000-memory.dmp

Filesize
72KB

Download
memory/5308-13-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5308-12-0x000000001BEC0000-0x000000001BF72000-memory.dmp

Filesize
712KB

Download
memory/5308-10-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5308-9-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5308-17-0x000000001BE80000-0x000000001BEBC000-memory.dmp

Filesize
240KB

Download
memory/5336-0-0x00007FFF51773000-0x00007FFF51775000-memory.dmp

Filesize
8KB

Download
memory/5336-8-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5336-2-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5336-1-0x00000000008F0000-0x0000000000C14000-memory.dmp

Filesize
3.1MB

Download