quasar | 966f15e926103d221b54f1a0952ce8249d13b3ee2df1cff051bd8498e8122c88

Analysis

max time kernel
673s
max time network
688s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01/02/2025, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

dc5a70257c7c9fa081b965fd3e374e4d
SHA1

431695b3d0c067911938647db95b6ebe437dc475
SHA256

966f15e926103d221b54f1a0952ce8249d13b3ee2df1cff051bd8498e8122c88
SHA512

2ec5fe1c8c053004d32df89659703a538a0c134255bf89e9ac83b59bf62479b21e7f28b5504849df09e2db832bcac557faaec9463b97dc1cc92aaa19a30b94de
SSDEEP

49152:mvkt62XlaSFNWPjljiFa2RoUYI3QdxNESE1k/iqLoGdNTHHB72eh2NT:mv462XlaSFNWPjljiFXRoUYI3KxUU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.26.230:4782

Mutex

8abf5b6b-5423-41c5-b608-867d81b01289

Attributes

encryption_key
08843B9267E60170339102520D9ADAD908F901C1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsHealth
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2564-1-0x0000000000750000-0x0000000000A74000-memory.dmp	family_quasar
behavioral1/files/0x001b00000002ab2a-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4964	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3512	schtasks.exe
2824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
720	msedge.exe
720	msedge.exe
2760	msedge.exe
2760	msedge.exe
1124	identity_helper.exe
1124	identity_helper.exe
2844	msedge.exe
2844	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	Client-built.exe
Token: SeDebugPrivilege	4964	Client.exe
Token: 33	4584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4584	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4964	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 3512	2564	Client-built.exe	77
PID 2564 wrote to memory of 3512	2564	Client-built.exe	77
PID 2564 wrote to memory of 4964	2564	Client-built.exe	79
PID 2564 wrote to memory of 4964	2564	Client-built.exe	79
PID 4964 wrote to memory of 2824	4964	Client.exe	80
PID 4964 wrote to memory of 2824	4964	Client.exe	80
PID 2760 wrote to memory of 2504	2760	msedge.exe	88
PID 2760 wrote to memory of 2504	2760	msedge.exe	88
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 3052	2760	msedge.exe	89
PID 2760 wrote to memory of 720	2760	msedge.exe	90
PID 2760 wrote to memory of 720	2760	msedge.exe	90
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91
PID 2760 wrote to memory of 3260	2760	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsHealth" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3512
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsHealth" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ffbd6623cb8,0x7ffbd6623cc8,0x7ffbd6623cd8
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6140 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5212 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1319322012283934023,8663405663085705031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
70KB

MD5
3b06aa689e8bf1aed00d923a55cfdd49

SHA1
ca186701396ba24d747438e6de95397ed5014361

SHA256
cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

SHA512
0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0599bae03ee7bf7bebb1c1b4049bd790

SHA1
a51d25ae76246f8c42cc1f4682471f7707f8d100

SHA256
3cc43b83b147d87be4c891c93d20d8ed5a4158ac8d1d2333211771bcfc93e449

SHA512
3cdf0d5d330ee6f43f84fa075e583ac6263711b08742eacb47940d6a6a86b89818b86b863b03640966d0e8c9e8389a3932f0e8bd7132170f0a1fcd781d4719f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5440b34efe18b05fe4d2ee9299271edc

SHA1
cf043f9edcb7652298c22b4628a2880f00c030d3

SHA256
8d12e989327cec2f654b79c56551d432c2bfff672a624cd1cb862dc8223649ba

SHA512
d16f6a975b244351a3b2915659e42735ebba396c997dc4bebc9d9008ede44df8cb900ae9dc586f17dec53aaf45be80bbbd1c9b493a377e441deb559dbdbab969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d3b1a61e6959fabfd0dc83bf0d728ffb

SHA1
c976c66f35eb9a63cc6baf20fe25c7c5b87c403b

SHA256
510ee81c61447c3ee968a2074dc238f5b142d59c7b1d98649b494337317c403a

SHA512
d8c732d50e6f2f80d4c9c2e63dc27b7a8aadbc995e279d63f17b0250ce53f3f65e54860bd1478a07b019abb47e7060489f0c8b40a3a5cd897d4a02e3240acbc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8c85f1fa6bb619d0d30abbe3be0b465e

SHA1
bba74875f887f93770e57cfcce8615e9f4f630ab

SHA256
fd3e600fa1d0723358223a891f959fff8bd06ab868a6374c14e2b98638a7e222

SHA512
c0576d1958aa81118ccca3455410fc9798701e25f9afbc3c979912771326b0bf746564dc31fbeb4996f5a2f1009e429d55183edaa7a13b661bd05ca118fe7e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
976a0be468a2cce1166e63d1f18246ea

SHA1
4fb57b0e6d1553561eb105724b6555bc1f2c4151

SHA256
2d83290a0bb3113bf74980ff864ba947ff791f02083d5761bb22580ccd8797c5

SHA512
4bc228eba59fa07f96226f3cb34ad000bb4fd2ed95d125bf0bf5b6ee577c4b0fd65e9ea39456b399d8475993aad47abfb3c32d98689dba0a104acc2c53fdd70c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
dd9ee8ed15f69c1d001ea718424c98c9

SHA1
444f1dba12a324c69c3e69011a5af512ca597dbe

SHA256
40314c7bf02333a94ce81e11561f3979286a2c5f4cdf70f11846dd3a0a07f2d9

SHA512
2d1e187f07fabde56d973abdee92d53ea83fe073615111d76c2f45ac63e8f3413e10761d8272a3c41e52d905f8c824724a3e83a7c132816705a94b42acda5979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
09d3bddeed5df1656f2ba1a7e4a3a6da

SHA1
09e00712792c222671a128b58b644b68eea0c797

SHA256
338a63858e5975330c10322812ba7412513b5a1f29506f16b2dc50db38a5bc07

SHA512
dbc1c3f707a2e2d7556b093a8da83c8083aefcf2410e27886145964a3f12488d8ab58c678e98ef282a7a0694e6eb16eb1e63dd74471859178124dc2cf923995b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f80a12f90e5677f32f1f30f6c3558760

SHA1
461ba303ffd55e6926bdae415eb51961019a9a95

SHA256
cc9f3ea634281780aac84c27b7f75e78a6d6be55856149707f1530b642c0d991

SHA512
9cc9fa32dbae4e38fde2d15c4f19b31c57d71bba1e5dba25a379a2e67c46f78d0cf40f318f173c005b955dbbd7360410fab795e4d88bc105d6af7d358347cdce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
db26358671e57b3f76e5a1e89257e799

SHA1
a95f2315a31dfa18fa30eb71652fa04ade5c1f54

SHA256
2b70abf468dde3d90ae107dbfc1e9f7062b9b3e5a0dae6970dcf681ec5945667

SHA512
969e88f41f9ad8ff0bfa833ca58a8f19953e6ffa30a5c6966307aed1940d5945b1b0e317f18a4c4b8699c2d517981fc3704deb465240ef9f7a720e3fdc6a18c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e7c222240a42a472cefdd10795d7972e

SHA1
7f1672dffd6076e45914e7aaa42e72381b033567

SHA256
cc0a38aee2aea0d7328ed782a14c6a629fafa8f63146c61b815959a8c1a316ef

SHA512
57e4919a2ae253025572eca03a2a527b1af4692f314e2dbb578a670c98d0c05f1f5eaf406f47f5eb64d0e45b8c08769a18e88684983030a94d010049cd711642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
4KB

MD5
57fceb797c57ffb8344467c574ae1e41

SHA1
7e4fd4973a488183f30e98ba13a7ce52841a57d8

SHA256
59fcd73e765bc95d7485c391c3fd1f6aa370fe6e0198a9d6d7d57ce4479bbd11

SHA512
14b25503f2a2e8ca25f1118473e44a09dbd1f0a8f8b307ef15cc0fe1ddd2e346b5fd8dc771ccc457084df43d3de26f25328c03c4911104b6ecf75f3ddb15a0ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
2KB

MD5
27cf53fa506f26743dbc1f0be64cdb29

SHA1
e7315ccbdff8225857877b566a94224752bd4627

SHA256
e9ff78d85502f1594b01651e3493bbbbeba149fd833d26aabad2a82116bd91fa

SHA512
3c7e8984babc1909d650f354316643e4b4a906a6dc0ad854ef964c29aaed929fa0261c93141d9369528d93311b5cc5d26cc95f9e8a6a655414a19e22e27e5e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1

Filesize
3KB

MD5
4d60b4d1634815e3627906f4e2a16f1a

SHA1
658f4be9c6fb7b94deb3b8b59d2d0604ff293f9d

SHA256
107610b132d7e4b7c80962c45fc0e6d26aaf72b11dd46ff3954376ecbbc1250b

SHA512
133a04185d6cbc0f2ef5584cdc14ea295852097aceb71821917118804d4e66f715dae8629d84857d7419ef08bdaae4f02e35bc99cb51fe64a5e90d7b2ad793d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f60d9f49a4957bfa81ed63f0a9096c7d

SHA1
55360844ab111d17ab1e3457305cdc5ead481875

SHA256
0359d8519b37cd131ea4ccaa72f1b06c10ae05870f6f782e09dfcb9a7fb8f5b0

SHA512
dee7b1a2609955b98871fd5d9826866aa1f852011b1962f869bca5426de3aa7f5370d081ae00c5cdab6cf011a4a1f075bd85686564f86962e65edfc71386d140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59356e.TMP

Filesize
48B

MD5
7ca7ae47d76d30c69a937f72210ee912

SHA1
8e5099ab2fbc06c8e09e79bf4645ad2f8babe210

SHA256
5b744a451efff2931d4789caac7ea4a3743f2f1c7d11722ca8c9961812f7bdbd

SHA512
7b8bb8947045dd5dd32bd021930dfea9b952e9251e7c484b75fcbec0eab086093f3218ce63327fa49ffaca713f5eddcfd0f6e23cd629dc1747a3f608149df188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eb12460b70df1aa2e6018e38be533fd7

SHA1
15de7053e45af4334fa7866a4583afda373b1acb

SHA256
47d45de5c517ea4a695d173ceb0c5ef957e6c7b75583c5dbcfc15c4dee195206

SHA512
024b0a740fd5cf412319861e9d62f7be6881c7d50ed8d362d4937e065aaeb856c307aa9e5ca5424e620ced4661853b990b8d67293f7797a5cda0761eaa0f20fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c6959b76a67eb590110d11eeacd40d72

SHA1
00cb64d9d63eb4ec91056053ac033207fec9ffc3

SHA256
097939dd292df7fe3216f83cf5b93c9e9bd461be5d8ad55a0b2d408ec368ae17

SHA512
aecab2c1279cb6122f06fbf9ab5b74e7c199b605a816b67d42a7610547a5cc45a7552bf5234a0eb17ee90e0f5fa6371b1b8ee0febba07b2f4d378e9b840b774c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7ade8765248edb3aaa65bb9c7fad7f2

SHA1
2ae30f91bcdea23d0c6ad3db79055360da805379

SHA256
16a1565e453352232da39d8507b3d662b8115053f8e5cfa031c275a0a7f0820c

SHA512
1550daef191d63c57419fb3e19bc9c81a280af7a9010919c22528ec939fd9a5c4b699b5a68157c48ed022630e0d5cb382babf89eac1e426fe1a3fc63003eeb5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3cedc07c90cebfbf8f369bb3c81f5713

SHA1
a449487fb0068ffd40790691171259d4d5cadcd9

SHA256
992995e52771e3aef0a45cd70a5fd971168d89c38bc23b2353bb40e823717daf

SHA512
6d1592029ea6c124fa2a2754e6314faa743cd1eca4feb2987477ccbfe94ff0fa26d59794cff6916d7b37fc03a0f5ed1485684ee2ebfafa2c629be1948c121f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
10431d124b34808b18b850110ceb94a9

SHA1
fb44701f74068cfbbb6bcefa01fc637aa6a937c5

SHA256
2726c68963bf96ade4c62d6616db77f8aeb83cf54a4be5c89b8565406c922f7e

SHA512
673dd99623a915561183f36129bdbee25b2db609701a8406dc11561a3037d2028109c12e3fcd77909569d251b299f5e3f7539e39f9bbb59296aacfd2e7763f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ca31a2747e1281c6bf7863c26ea44ab1

SHA1
252d0740ec81aa38784810bbbe658d3c769f2161

SHA256
9fb783dcf206afa8f3290bdf4bbe0d758c72e18f5bad663410beae2ca0b15538

SHA512
ecd6e13a48edb364138b23d550797a6e492b177a48378aa90d425c61cd1ee742c2422645b39b8905a73ff07e2a6013da0109fcf099dd6ee760276a1344517acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591831.TMP

Filesize
1KB

MD5
05fad2a51f437f0f0e5adfb36d7b8538

SHA1
85d1d6f8041eede4249e3ec79e4899246a3d4020

SHA256
542d83bd9b502c9c9220b2fd634213670d74d144176e9f632448fcfca4b8834d

SHA512
cf521f5ecdfc292487ec35108475328bbd6d70c64d1b586fde52e94212239e3c8b67c49070b7f12daed215d0817e05fd1bfbefd13e434e8b5766ee38aaecd3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b0aadd3048a4baf9be99996e645d3dc0

SHA1
ae2189b7e0e1a6520cd15e4a7f74b1d17f46b96c

SHA256
7f231320ccfd6df29b97a41d84f026e7d78b88f6e45ab4709a11fdbd5200393e

SHA512
d37edfbf9438a463c1afe59b63a8330bac9b6f38627f65927ffb2b4e71763e18005d06c9790d2b75f851193c8b6e2d58b263e8bffdebe65bf80bd4ded4e17f78

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
dc5a70257c7c9fa081b965fd3e374e4d

SHA1
431695b3d0c067911938647db95b6ebe437dc475

SHA256
966f15e926103d221b54f1a0952ce8249d13b3ee2df1cff051bd8498e8122c88

SHA512
2ec5fe1c8c053004d32df89659703a538a0c134255bf89e9ac83b59bf62479b21e7f28b5504849df09e2db832bcac557faaec9463b97dc1cc92aaa19a30b94de

Download Submit
memory/2564-9-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

Filesize
10.8MB

Download
memory/2564-0-0x00007FFBDD053000-0x00007FFBDD055000-memory.dmp

Filesize
8KB

Download
memory/2564-1-0x0000000000750000-0x0000000000A74000-memory.dmp

Filesize
3.1MB

Download
memory/2564-2-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

Filesize
10.8MB

Download
memory/4964-15-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

Filesize
10.8MB

Download
memory/4964-11-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

Filesize
10.8MB

Download
memory/4964-10-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

Filesize
10.8MB

Download
memory/4964-12-0x00000000036D0000-0x0000000003720000-memory.dmp

Filesize
320KB

Download
memory/4964-13-0x000000001CC50000-0x000000001CD02000-memory.dmp

Filesize
712KB

Download
memory/4964-14-0x000000001D340000-0x000000001D868000-memory.dmp

Filesize
5.2MB

Download
memory/4964-16-0x00007FFBDD050000-0x00007FFBDDB12000-memory.dmp

Filesize
10.8MB

Download