quasar | hxxp://e[.]pc[.]cd/C32y6alK

Analysis

max time kernel
97s
max time network
99s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-02-2025 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://e.pc.cd/C32y6alK

Score

10^/10

quasar githubyt discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

githubyt

87.228.57.81:4782

Mutex

cf3988ab-2fd9-4544-a16f-9faa71eb5bac

Attributes

encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchoost.exe
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000028169-977.dat	family_quasar
behavioral1/memory/4480-988-0x0000000000B70000-0x0000000000E94000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5004	powershell.exe
3796	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
119	2404	soft 1.14.exe
152	3180	soft 1.14.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\International\Geo\Nation	soft 1.14.exe

Executes dropped EXE 4 IoCs

pid	Process
2404	soft 1.14.exe
4480	ohummaoc.exe
2432	Client.exe
3180	soft 1.14.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
118	raw.githubusercontent.com
119	raw.githubusercontent.com
152	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soft 1.14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soft 1.14.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3032	schtasks.exe
4884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5000	msedge.exe
5000	msedge.exe
1648	msedge.exe
1648	msedge.exe
4836	identity_helper.exe
4836	identity_helper.exe
2504	msedge.exe
2504	msedge.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
3796	powershell.exe
3796	powershell.exe
3796	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeRestorePrivilege	2916	7zG.exe
Token: 35	2916	7zG.exe
Token: SeSecurityPrivilege	2916	7zG.exe
Token: SeSecurityPrivilege	2916	7zG.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeIncreaseQuotaPrivilege	5004	powershell.exe
Token: SeSecurityPrivilege	5004	powershell.exe
Token: SeTakeOwnershipPrivilege	5004	powershell.exe
Token: SeLoadDriverPrivilege	5004	powershell.exe
Token: SeSystemProfilePrivilege	5004	powershell.exe
Token: SeSystemtimePrivilege	5004	powershell.exe
Token: SeProfSingleProcessPrivilege	5004	powershell.exe
Token: SeIncBasePriorityPrivilege	5004	powershell.exe
Token: SeCreatePagefilePrivilege	5004	powershell.exe
Token: SeBackupPrivilege	5004	powershell.exe
Token: SeRestorePrivilege	5004	powershell.exe
Token: SeShutdownPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeSystemEnvironmentPrivilege	5004	powershell.exe
Token: SeRemoteShutdownPrivilege	5004	powershell.exe
Token: SeUndockPrivilege	5004	powershell.exe
Token: SeManageVolumePrivilege	5004	powershell.exe
Token: 33	5004	powershell.exe
Token: 34	5004	powershell.exe
Token: 35	5004	powershell.exe
Token: 36	5004	powershell.exe
Token: SeDebugPrivilege	2404	soft 1.14.exe
Token: SeDebugPrivilege	4480	ohummaoc.exe
Token: SeDebugPrivilege	2432	Client.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeIncreaseQuotaPrivilege	3796	powershell.exe
Token: SeSecurityPrivilege	3796	powershell.exe
Token: SeTakeOwnershipPrivilege	3796	powershell.exe
Token: SeLoadDriverPrivilege	3796	powershell.exe
Token: SeSystemProfilePrivilege	3796	powershell.exe
Token: SeSystemtimePrivilege	3796	powershell.exe
Token: SeProfSingleProcessPrivilege	3796	powershell.exe
Token: SeIncBasePriorityPrivilege	3796	powershell.exe
Token: SeCreatePagefilePrivilege	3796	powershell.exe
Token: SeBackupPrivilege	3796	powershell.exe
Token: SeRestorePrivilege	3796	powershell.exe
Token: SeShutdownPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeSystemEnvironmentPrivilege	3796	powershell.exe
Token: SeRemoteShutdownPrivilege	3796	powershell.exe
Token: SeUndockPrivilege	3796	powershell.exe
Token: SeManageVolumePrivilege	3796	powershell.exe
Token: 33	3796	powershell.exe
Token: 34	3796	powershell.exe
Token: 35	3796	powershell.exe
Token: 36	3796	powershell.exe
Token: SeDebugPrivilege	3180	soft 1.14.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1636	1648	msedge.exe	84
PID 1648 wrote to memory of 1636	1648	msedge.exe	84
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 2288	1648	msedge.exe	85
PID 1648 wrote to memory of 5000	1648	msedge.exe	86
PID 1648 wrote to memory of 5000	1648	msedge.exe	86
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87
PID 1648 wrote to memory of 4896	1648	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://e.pc.cd/C32y6alK
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff9f5746f8,0x7fff9f574708,0x7fff9f574718
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1984 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,10707143893441370294,15799052744770544212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:4588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:816

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\soft 1.14\" -ad -an -ai#7zMap26839:80:7zEvent4985
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Users\Admin\Downloads\soft 1.14\soft 1.14.exe
"C:\Users\Admin\Downloads\soft 1.14\soft 1.14.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\odplupmha'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\odplupmha\ohummaoc.exe
  "C:\odplupmha\ohummaoc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3032
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2432
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4884

C:\Users\Admin\Downloads\soft 1.14\soft 1.14.exe
"C:\Users\Admin\Downloads\soft 1.14\soft 1.14.exe"
1⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\losfsqty'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f9349064c7c8f8467cc12d78a462e5f9

SHA1
5e1d27fc64751cd8c0e9448ee47741da588b3484

SHA256
883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b

SHA512
3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\soft 1.14.exe.log

Filesize
847B

MD5
72305e6c7d0336a5b729781f69fcd4af

SHA1
afc5955b5f991f9845b795dc207582b3d9500a1a

SHA256
4597cbb41260631877633b75248620cbff79d2359c5f553b41d1e845080f6399

SHA512
e6b375610cdbfa36925fb77999fb5adcdb34b7a4805f560ba1222568ab3b22fbb10c2e069979ad01cb7fe543495d9ce459cb43b8769b462a2f152e86aa1eb5d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e97a507db8325bbdef7b1fcadf06f86

SHA1
7782c07045983db5ad0e43939b0c47b5f8e68736

SHA256
6f1f11f1f73b9c7c2e6866ea6759c409515884f382e22135c9ffde466accacb1

SHA512
47f8687649252eaa47447c56d53377577cfaad1d1a329f26d90d4b6a2f60110e022f262e98f77c409990909ed442e95a3a144971bda607fbbf8c5c52ca9f3f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
5f268d30a1c107ae9d781f2c9528ea81

SHA1
edbf773c96b6af9635b54690c978e94e18b5638d

SHA256
0c91561e0580438d20083f1242966286feb13c27af2e9b8a57b32120b295c383

SHA512
32820f63be4232789e319f1ba61258fecb041c19b69ebe94c3b688d08fb6f2fdb4eda5203c4377205bb209e5519da4a133a764678114c2149c4fcaf9456f6de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
580B

MD5
cc470ce89a87a9121ce680ec55a3e3db

SHA1
4cbc59164df7a06f9b3f49ce519d127250f754c4

SHA256
ea0812492103da00d3e1be054b8cdd5918af1f4a3503a26025d022102c795135

SHA512
16b01c7d07b2b0ac8b1c835715ae8e185a6fbf1a4eaeba319a50627b63b9001caef2f1099de7906261bb3d7a423636b5ebb63041537d5e63d5aea714684532b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e5fbfabdf9ea4ef637db8aa8a3e4975c

SHA1
d986b2795042eafba504e9c4b8edbb702fa07216

SHA256
7451850434a295a316ae7aa8f9aaabdffb3066c8a71c7c5395ef8ff4e1987ad8

SHA512
6f603e237b3dacfd9cac6ef7e630aa1f6c0d7fb0df418fd8d1e9dc3191288d2452d3b22a2fdc32d9f0dccc5c6122f438bf12e6c9e6801cd702292b439f5220e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cfcbffa515f28643f2729cb47a9c0d0b

SHA1
a3748dc148b02355fb7f567b203f5969f5ae7632

SHA256
5421e68acee882c92e1177b5d5d6abdce78330b9f6d1c785dc5fc08de7e382ca

SHA512
65066a2899ebe8fd8a368c8c2c2e77666896bdcef1b61352e9804561aa6d04ef668b27bf5b8ba30e13b7141b9a13c759bd285bb46286fcb90a8fa01a13808120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
61dcde85769902b6ea0f08945d6273c6

SHA1
6464c266521ecfd20f8da4040fc00628367c29eb

SHA256
25f35e6142c062e6d5c34cc0a28ba8d19165c4f04144ceab6f4dedca615e7016

SHA512
74ffbddffac90f3ed67e5f530f2a74a7059760e7371b792dc12a5ce3161ef1eb507ee8cb171850f76c503b1801b64a868e5d34ca6bc6baa52f7e582e07e6e4a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
33a7ea8c02710fca0488ce8e093da74b

SHA1
daef93925d43f5b2cd1a35778d6300a132a8cbeb

SHA256
04ed2a69c410b80c6fbb101cb33478a5eb1cd9a10888352f58e32ba479675934

SHA512
d9e177d52e935b5c04def70cbe749da3f21c94a64451f0cc05c2a40f7856dc193e60e3a29c66e1b42c4951e4821483aa58451eca6c90fc8d2dd9d42d8e4d3ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3dbdca581a175267acd89d990fb36afd

SHA1
0298bbd8f9421f48cd7eee1f6522d365f5cacca1

SHA256
a29854b657c29ea59851d12dd02f2802f4f9c01fdac318aab561e3dcc1fc9b6d

SHA512
1ff3162e971afbd0765fb630ab494c70f569a39727226fabaec0b1f2beffb1dd8400acf4c11ea60d70a05616d743a0d246bbe23ceb260a38fe25eaee341d147f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
580f41a17061a1d849f7e9d60ff18aa6

SHA1
762fd39e2b9eb3e21d51f4ebd7c55e0557420800

SHA256
83637c94ec37e78e34bf1cda227eed230a7424e39f0dec45bc07cf3f4f22d139

SHA512
3ea6bae95cdf95e30429bd39dc5c8d0cd18337d63916972d21d0b86ae21b472fa1da6ff0f57f03268b447b47efd17b6ebd435df3737a3da562772b5f69038802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
61f261d035256418f66160bc680d0587

SHA1
d1a615ac42ee13e2aa5c6fbe9a2e38d7afea0e95

SHA256
3b039302190eaec3132a7020a7fc6b5bfd76d2ac82b78ef208be99b9013f6be0

SHA512
a8ed08869a376695762cccfe591c4e413416a5afc784449d713cb5914286847a119b02d6463b3ee55b5f877b18c7d1a6171a18eb11b76eeab782a706ca4739d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ab9b9f49-557b-49ed-8d7e-84231b7fb7ed.tmp

Filesize
707B

MD5
6e2fcf8bf7104ffc368ac34418de306a

SHA1
9c5ab08bf805db47edf398d0f1c41592711f6639

SHA256
5c3727809c4f44a2b1fb8d2d5ed577680b0e7717bea3d2471ce7686716281790

SHA512
b140c2167bfa9de01ec8b65a50ab8dce3eeaf7edad55fdac484ad0c84064b7e2a67871f7b697a00674c833fe1036865b8faa16a0d209f4afb492fff330a09b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eb379d5ea2761a4bb56d7a9476d15912

SHA1
9e6c84209e6acb01ab5c686277bcdab0420abe97

SHA256
ceb62d59e15fb4d1a17eb960b5b0142435fec153e2c7dfb0948b58560b035213

SHA512
2223d9fb57430435377e700fb9e74c06c29135206b2d272939de14cef6b227f49086166559f83a5c28b17f73f8787d21375204094d0795ad4570c754418abaa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
066a5aeff5d7c231fe8763dcea03ca4b

SHA1
2832d65268e04941e2b12ef5bddabb6dd15db8be

SHA256
8c0b5529d3fe78414727a01ebf0840c3639b87a87e48251e7360330e1e0b0d99

SHA512
970521eda300c1e9e3faefc9c47cf55dddd2372a71bd20975b9ad037475451fd17cfab321581ac6dd5d9975cfcdde64f361100b8e8edc02c9e20580cabd2f86c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5757635f67570db6a26b39309c62acf3

SHA1
39ef25fdfc2de516ab4cea8f266deee2db994530

SHA256
80dc5607c823b10feb4f36a564c1a90e1ddda8f38ff8926eb88d9dc2be68ab10

SHA512
aa4eecb743344afe2a1214351f58127dc28470cda08ec30247a3fe8b6229a50e1655f7397b202963b5a20d53ff09cb29b74d0feb9c4300c2fb3684ee90561f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
39377f1ff4e11354c583deb430a5a01c

SHA1
e57374e354529d3a50db85e7a20cadd9db3351e9

SHA256
6981afd1b09da8be77550d4f55084022f2ba9014073d50ba55da484a116d9de5

SHA512
22c6ccc6c347a8aaa6fbe58832800206d55a3098ec74043cb9233f01710f246b3d8a7e290545927956094f6369511cdbd50e84faf634de3f132a5b8795705745

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_op2s5mju.gdi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\soft 1.14\soft 1.14.exe

Filesize
13KB

MD5
8abd6521bc864a5ac8386ee53571fb5b

SHA1
a46315f879182ca7e19b4cc5461a937d7ebc4366

SHA256
3c7d2f20d9c6a64a8438c336f8f7a2ac31bbae10b276ede629c2b903b05dcf73

SHA512
03e1318fc87d06411d5f52cd5a779275c1f2fcb67e495497585a3b8233692cd472a0d39c21f1776faceec9141691696da03beea198acd655bad7c06a7aa42373

Download Submit
C:\odplupmha\ohummaoc.exe

Filesize
3.1MB

MD5
766e053d13e4f6750e8f694efb00fad0

SHA1
2a0e1ca7711795dfe50231d03ab7d0349014df5e

SHA256
0502a8da4a9f46a7375766b83d181aa9f38e9969b10801f80736a3598410a281

SHA512
3de1970fc083d404a28827f25e0ff4f096d6b75a2c2367bff0476857f5e217da3f6c40f531c2b835b31233bde53bc51086c6784985294e97ce21523bbef2bd7f

Download Submit
memory/2404-890-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2432-1005-0x000000001CF20000-0x000000001CF70000-memory.dmp

Filesize
320KB

Download
memory/2432-1006-0x000000001D030000-0x000000001D0E2000-memory.dmp

Filesize
712KB

Download
memory/3796-1072-0x00000000059D0000-0x0000000005D27000-memory.dmp

Filesize
3.3MB

Download
memory/3796-1074-0x0000000006020000-0x000000000606C000-memory.dmp

Filesize
304KB

Download
memory/3796-1075-0x0000000071290000-0x00000000712DC000-memory.dmp

Filesize
304KB

Download
memory/3796-1085-0x0000000007290000-0x0000000007333000-memory.dmp

Filesize
652KB

Download
memory/4480-988-0x0000000000B70000-0x0000000000E94000-memory.dmp

Filesize
3.1MB

Download
memory/5004-935-0x0000000007A30000-0x0000000007AC6000-memory.dmp

Filesize
600KB

Download
memory/5004-934-0x0000000007820000-0x000000000782A000-memory.dmp

Filesize
40KB

Download
memory/5004-933-0x00000000077C0000-0x00000000077DA000-memory.dmp

Filesize
104KB

Download
memory/5004-932-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download
memory/5004-931-0x0000000007680000-0x0000000007723000-memory.dmp

Filesize
652KB

Download
memory/5004-930-0x0000000006A60000-0x0000000006A7E000-memory.dmp

Filesize
120KB

Download
memory/5004-920-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/5004-919-0x0000000007640000-0x0000000007672000-memory.dmp

Filesize
200KB

Download
memory/5004-918-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/5004-917-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/5004-911-0x0000000005E60000-0x00000000061B7000-memory.dmp

Filesize
3.3MB

Download
memory/5004-900-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/5004-901-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/5004-899-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/5004-898-0x0000000005710000-0x0000000005DDA000-memory.dmp

Filesize
6.8MB

Download
memory/5004-897-0x0000000002D60000-0x0000000002D96000-memory.dmp

Filesize
216KB

Download