Analysis
-
max time kernel
592s -
max time network
600s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 22:47
Behavioral task
behavioral1
Sample
sp00fer.exe
Resource
win7-20240508-en
General
-
Target
sp00fer.exe
-
Size
3.1MB
-
MD5
a121d9d691a400786000dee14a808ab1
-
SHA1
14ab065be3cfe0a7aa7808cb8891f7c75affc395
-
SHA256
7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335
-
SHA512
e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929
-
SSDEEP
49152:zvulL26AaNeWgPhlmVqvMQ7XSKLCO1JRLoGdFTHHB72eh2NT:zveL26AaNeWgPhlmVqkQ7XSKLCE
Malware Config
Extracted
quasar
1.4.1
Office04
pringelsy-51954.portmap.host:51954
6dc28d35-3024-44a7-a559-f9991015fa39
-
encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
799
-
startup_key
Quasar Client Startup
-
subdirectory
Common Files
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/644-1-0x0000000000240000-0x0000000000564000-memory.dmp family_quasar C:\Program Files\Common Files\Client.exe family_quasar -
Checks computer location settings 2 TTPs 29 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 30 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1692 Client.exe 2264 Client.exe 2504 Client.exe 2436 Client.exe 4916 Client.exe 1316 Client.exe 2696 Client.exe 3972 Client.exe 4732 Client.exe 4920 Client.exe 2544 Client.exe 3692 Client.exe 2044 Client.exe 1448 Client.exe 3472 Client.exe 1380 Client.exe 2988 Client.exe 4300 Client.exe 4856 Client.exe 860 Client.exe 3080 Client.exe 1880 Client.exe 228 Client.exe 1352 Client.exe 1164 Client.exe 2160 Client.exe 432 Client.exe 2492 Client.exe 4508 Client.exe 3512 Client.exe -
Drops file in Program Files directory 63 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exesp00fer.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe sp00fer.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File created C:\Program Files\Common Files\Client.exe sp00fer.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files sp00fer.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 29 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3104 PING.EXE 4184 PING.EXE 2560 PING.EXE 4112 PING.EXE 3252 PING.EXE 1772 PING.EXE 1432 PING.EXE 2688 PING.EXE 3864 PING.EXE 4596 PING.EXE 2568 PING.EXE 4196 PING.EXE 2832 PING.EXE 2552 PING.EXE 2540 PING.EXE 2844 PING.EXE 392 PING.EXE 4616 PING.EXE 4012 PING.EXE 4880 PING.EXE 4952 PING.EXE 3952 PING.EXE 5044 PING.EXE 996 PING.EXE 4908 PING.EXE 4312 PING.EXE 3552 PING.EXE 3432 PING.EXE 2704 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 31 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3284 schtasks.exe 216 schtasks.exe 1592 schtasks.exe 3740 schtasks.exe 2168 schtasks.exe 2248 schtasks.exe 1532 schtasks.exe 4204 schtasks.exe 3528 schtasks.exe 708 schtasks.exe 3656 schtasks.exe 2896 schtasks.exe 4856 schtasks.exe 1856 schtasks.exe 1596 schtasks.exe 116 schtasks.exe 4764 schtasks.exe 1588 schtasks.exe 3328 schtasks.exe 1320 schtasks.exe 4008 schtasks.exe 3300 schtasks.exe 2364 schtasks.exe 3832 schtasks.exe 1176 schtasks.exe 3568 schtasks.exe 3192 schtasks.exe 1708 schtasks.exe 3272 schtasks.exe 3552 schtasks.exe 2304 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
sp00fer.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 644 sp00fer.exe Token: SeDebugPrivilege 1692 Client.exe Token: SeDebugPrivilege 2264 Client.exe Token: SeDebugPrivilege 2504 Client.exe Token: SeDebugPrivilege 2436 Client.exe Token: SeDebugPrivilege 4916 Client.exe Token: SeDebugPrivilege 1316 Client.exe Token: SeDebugPrivilege 2696 Client.exe Token: SeDebugPrivilege 3972 Client.exe Token: SeDebugPrivilege 4732 Client.exe Token: SeDebugPrivilege 4920 Client.exe Token: SeDebugPrivilege 2544 Client.exe Token: SeDebugPrivilege 3692 Client.exe Token: SeDebugPrivilege 2044 Client.exe Token: SeDebugPrivilege 1448 Client.exe Token: SeDebugPrivilege 3472 Client.exe Token: SeDebugPrivilege 1380 Client.exe Token: SeDebugPrivilege 2988 Client.exe Token: SeDebugPrivilege 4300 Client.exe Token: SeDebugPrivilege 4856 Client.exe Token: SeDebugPrivilege 860 Client.exe Token: SeDebugPrivilege 3080 Client.exe Token: SeDebugPrivilege 1880 Client.exe Token: SeDebugPrivilege 228 Client.exe Token: SeDebugPrivilege 1352 Client.exe Token: SeDebugPrivilege 1164 Client.exe Token: SeDebugPrivilege 2160 Client.exe Token: SeDebugPrivilege 432 Client.exe Token: SeDebugPrivilege 2492 Client.exe Token: SeDebugPrivilege 4508 Client.exe Token: SeDebugPrivilege 3512 Client.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1692 Client.exe 2264 Client.exe 2504 Client.exe 2436 Client.exe 4916 Client.exe 1316 Client.exe 2696 Client.exe 3972 Client.exe 4732 Client.exe 4920 Client.exe 2544 Client.exe 3692 Client.exe 2044 Client.exe 1448 Client.exe 3472 Client.exe 1380 Client.exe 2988 Client.exe 4300 Client.exe 4856 Client.exe 860 Client.exe 3080 Client.exe 1880 Client.exe 228 Client.exe 1352 Client.exe 1164 Client.exe 2160 Client.exe 432 Client.exe 2492 Client.exe 4508 Client.exe 3512 Client.exe -
Suspicious use of SendNotifyMessage 30 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1692 Client.exe 2264 Client.exe 2504 Client.exe 2436 Client.exe 4916 Client.exe 1316 Client.exe 2696 Client.exe 3972 Client.exe 4732 Client.exe 4920 Client.exe 2544 Client.exe 3692 Client.exe 2044 Client.exe 1448 Client.exe 3472 Client.exe 1380 Client.exe 2988 Client.exe 4300 Client.exe 4856 Client.exe 860 Client.exe 3080 Client.exe 1880 Client.exe 228 Client.exe 1352 Client.exe 1164 Client.exe 2160 Client.exe 432 Client.exe 2492 Client.exe 4508 Client.exe 3512 Client.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1692 Client.exe 2504 Client.exe 4916 Client.exe 1316 Client.exe 2696 Client.exe 3972 Client.exe 4732 Client.exe 4920 Client.exe 2544 Client.exe 3692 Client.exe 2044 Client.exe 1448 Client.exe 3472 Client.exe 1380 Client.exe 2988 Client.exe 4856 Client.exe 860 Client.exe 3080 Client.exe 1880 Client.exe 228 Client.exe 1352 Client.exe 1164 Client.exe 2160 Client.exe 432 Client.exe 2492 Client.exe 4508 Client.exe 3512 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
sp00fer.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exedescription pid process target process PID 644 wrote to memory of 116 644 sp00fer.exe schtasks.exe PID 644 wrote to memory of 116 644 sp00fer.exe schtasks.exe PID 644 wrote to memory of 1692 644 sp00fer.exe Client.exe PID 644 wrote to memory of 1692 644 sp00fer.exe Client.exe PID 1692 wrote to memory of 4856 1692 Client.exe schtasks.exe PID 1692 wrote to memory of 4856 1692 Client.exe schtasks.exe PID 1692 wrote to memory of 2016 1692 Client.exe cmd.exe PID 1692 wrote to memory of 2016 1692 Client.exe cmd.exe PID 2016 wrote to memory of 1436 2016 cmd.exe chcp.com PID 2016 wrote to memory of 1436 2016 cmd.exe chcp.com PID 2016 wrote to memory of 1432 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 1432 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 2264 2016 cmd.exe Client.exe PID 2016 wrote to memory of 2264 2016 cmd.exe Client.exe PID 2264 wrote to memory of 4008 2264 Client.exe schtasks.exe PID 2264 wrote to memory of 4008 2264 Client.exe schtasks.exe PID 2264 wrote to memory of 3672 2264 Client.exe cmd.exe PID 2264 wrote to memory of 3672 2264 Client.exe cmd.exe PID 3672 wrote to memory of 3972 3672 cmd.exe chcp.com PID 3672 wrote to memory of 3972 3672 cmd.exe chcp.com PID 3672 wrote to memory of 4312 3672 cmd.exe PING.EXE PID 3672 wrote to memory of 4312 3672 cmd.exe PING.EXE PID 3672 wrote to memory of 2504 3672 cmd.exe Client.exe PID 3672 wrote to memory of 2504 3672 cmd.exe Client.exe PID 2504 wrote to memory of 708 2504 Client.exe schtasks.exe PID 2504 wrote to memory of 708 2504 Client.exe schtasks.exe PID 2504 wrote to memory of 3812 2504 Client.exe cmd.exe PID 2504 wrote to memory of 3812 2504 Client.exe cmd.exe PID 3812 wrote to memory of 3992 3812 cmd.exe chcp.com PID 3812 wrote to memory of 3992 3812 cmd.exe chcp.com PID 3812 wrote to memory of 2844 3812 cmd.exe PING.EXE PID 3812 wrote to memory of 2844 3812 cmd.exe PING.EXE PID 3812 wrote to memory of 2436 3812 cmd.exe Client.exe PID 3812 wrote to memory of 2436 3812 cmd.exe Client.exe PID 2436 wrote to memory of 4764 2436 Client.exe schtasks.exe PID 2436 wrote to memory of 4764 2436 Client.exe schtasks.exe PID 2436 wrote to memory of 1596 2436 Client.exe cmd.exe PID 2436 wrote to memory of 1596 2436 Client.exe cmd.exe PID 1596 wrote to memory of 4932 1596 cmd.exe chcp.com PID 1596 wrote to memory of 4932 1596 cmd.exe chcp.com PID 1596 wrote to memory of 2568 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 2568 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 4916 1596 cmd.exe Client.exe PID 1596 wrote to memory of 4916 1596 cmd.exe Client.exe PID 4916 wrote to memory of 3192 4916 Client.exe schtasks.exe PID 4916 wrote to memory of 3192 4916 Client.exe schtasks.exe PID 4916 wrote to memory of 5036 4916 Client.exe cmd.exe PID 4916 wrote to memory of 5036 4916 Client.exe cmd.exe PID 5036 wrote to memory of 4016 5036 cmd.exe chcp.com PID 5036 wrote to memory of 4016 5036 cmd.exe chcp.com PID 5036 wrote to memory of 3104 5036 cmd.exe PING.EXE PID 5036 wrote to memory of 3104 5036 cmd.exe PING.EXE PID 5036 wrote to memory of 1316 5036 cmd.exe Client.exe PID 5036 wrote to memory of 1316 5036 cmd.exe Client.exe PID 1316 wrote to memory of 4204 1316 Client.exe schtasks.exe PID 1316 wrote to memory of 4204 1316 Client.exe schtasks.exe PID 1316 wrote to memory of 2832 1316 Client.exe cmd.exe PID 1316 wrote to memory of 2832 1316 Client.exe cmd.exe PID 2832 wrote to memory of 4860 2832 cmd.exe chcp.com PID 2832 wrote to memory of 4860 2832 cmd.exe chcp.com PID 2832 wrote to memory of 5044 2832 cmd.exe PING.EXE PID 2832 wrote to memory of 5044 2832 cmd.exe PING.EXE PID 2832 wrote to memory of 2696 2832 cmd.exe Client.exe PID 2832 wrote to memory of 2696 2832 cmd.exe Client.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sp00fer.exe"C:\Users\Admin\AppData\Local\Temp\sp00fer.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8437ejfa3Jqc.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1AQf1zWYsGXV.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H3rNf0EFGPk2.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t3RmombxiHxi.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqiWikAmQ5zo.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vr38kIKgT17Z.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\go4wxzMQR1ZD.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T6bdw1iZbDU3.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMQV3SO8OSQj.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WZ8EhzHMlKez.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bovTrPTikkeZ.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RF4ZO4U1Bdd4.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYy1t8J0fTuh.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IHNJ1ibp348P.bat" "29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQfyaqfAmInH.bat" "31⤵
-
C:\Windows\system32\chcp.comchcp 6500132⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f33⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMpELHOEHWfZ.bat" "33⤵
-
C:\Windows\system32\chcp.comchcp 6500134⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost34⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f35⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMom6kreZ7rd.bat" "35⤵
-
C:\Windows\system32\chcp.comchcp 6500136⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost36⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f37⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqMByihvmVnP.bat" "37⤵
-
C:\Windows\system32\chcp.comchcp 6500138⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost38⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f39⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCJ5X62jMXFV.bat" "39⤵
-
C:\Windows\system32\chcp.comchcp 6500140⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost40⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f41⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fbrpqeUALMFC.bat" "41⤵
-
C:\Windows\system32\chcp.comchcp 6500142⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost42⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f43⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n1G9WYM7Vybg.bat" "43⤵
-
C:\Windows\system32\chcp.comchcp 6500144⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost44⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f45⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\grtjy5x2xeET.bat" "45⤵
-
C:\Windows\system32\chcp.comchcp 6500146⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost46⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f47⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ku0uRusxxzLD.bat" "47⤵
-
C:\Windows\system32\chcp.comchcp 6500148⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost48⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f49⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsHXPefbcMFX.bat" "49⤵
-
C:\Windows\system32\chcp.comchcp 6500150⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost50⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f51⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Y91bqOXpQ3V.bat" "51⤵
-
C:\Windows\system32\chcp.comchcp 6500152⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost52⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f53⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JhWfCWRCXS1j.bat" "53⤵
-
C:\Windows\system32\chcp.comchcp 6500154⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost54⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f55⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v7sPxfCGtP3E.bat" "55⤵
-
C:\Windows\system32\chcp.comchcp 6500156⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost56⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f57⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0HqSJtuPCEoQ.bat" "57⤵
-
C:\Windows\system32\chcp.comchcp 6500158⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost58⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f59⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmyBg5OA9pqr.bat" "59⤵
-
C:\Windows\system32\chcp.comchcp 6500160⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost60⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"60⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f61⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Client.exeFilesize
3.1MB
MD5a121d9d691a400786000dee14a808ab1
SHA114ab065be3cfe0a7aa7808cb8891f7c75affc395
SHA2567849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335
SHA512e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Temp\0HqSJtuPCEoQ.batFilesize
199B
MD5aae22f047f7396f30646dc1ac00a92ec
SHA1f9d8128da4eb2c46a6e0459c051fabd117409cff
SHA25628f1c7a5a9b47eb6e9d6955204bc62d2f699fe66eba1145ee55a85c26068c458
SHA5125f29375ab1b814d836e76385af5547ccc1251362d99661bdfc690252653e2b62b940aeaec929763d3718aa276977a201e61e4b52b6857188f0add2c597e37efa
-
C:\Users\Admin\AppData\Local\Temp\1AQf1zWYsGXV.batFilesize
199B
MD5925f20c7651d7815404e0a0f4ee436fe
SHA1b8f6758a3846d2940ce554a145f2df6bf2e7813c
SHA256599b0a000511def36c561f8169418c011004eae47475c657053a82212ba86e3a
SHA512ccebb704b583e4a40a589b40b511fb46222e1ae4a51a8ef695ac73aa80fb70b7510ff681f1f369caf2d08a0d4f0d8517de94a5e5ef0dccbd1e43006bcfe0b5b2
-
C:\Users\Admin\AppData\Local\Temp\2Y91bqOXpQ3V.batFilesize
199B
MD5352d143500edd1537b1a353987f98f25
SHA1b2e963881cc7df41af0fd42f37ce8e92b2bda891
SHA25605ff4e523865980b66a8f35a4bda1f45798b14c7b5172364bd1c1a6898c17476
SHA5122e6ce63302f65da5b7288479fd716e47f23abd57bd0cda5e77e50e22f4046ef77064aff67d276edccb1c9c45665c2e851b40281d1e3b96b72f1fffb3febd8a4c
-
C:\Users\Admin\AppData\Local\Temp\8437ejfa3Jqc.batFilesize
199B
MD5d0418da9238eefe7616137ee528cc83f
SHA185c5aae0a268e7a400b4a21d0a2bea656303cfde
SHA2561c12180d25ce9ba9a4cc94ead9bf11a16363dd36f6874fa49c20f643f86d66b0
SHA5128fdc53eabc26b57645f140011d9c521303ada0af9933dd3364bbe1766e8ef473ff2051db22571ff4fd7852ae48a6760fac25d6c9b9f5f73d6c4d717ee9ea4565
-
C:\Users\Admin\AppData\Local\Temp\GYy1t8J0fTuh.batFilesize
199B
MD5dccd9367276fd08098d03c8836b2b4ca
SHA131addd3b0756b1d8e2a6226812dd2906eddc3f74
SHA25637ac1c900c097f67277285e2ddce83799679acd1d0c9737047b8070be3f650fe
SHA512d8db40fdf54fa9e9c123535e2950e1faf1b990aa2fdb415c9ab43fc9ae16b8cc79225858838773482c4e919588548c88e4cfd9c49cd61a5b73bb87f65da7a23f
-
C:\Users\Admin\AppData\Local\Temp\H3rNf0EFGPk2.batFilesize
199B
MD55d9696dd9d7d30b895bb00211ea92b19
SHA1a6949fe55e30a28b194b37184a7203ab00f81b89
SHA256153d67295308909c2a6d40525406ba73779279ba83f91ffa09a0ddf4201bed0f
SHA5123812e6129598e9c8c07a3e880e083b137a05ba1789b1462afc52e14738afbb75d86e5a21ebb3601bf24d143fc94ca20935d1732c0cf52ec78174af9f00686ded
-
C:\Users\Admin\AppData\Local\Temp\IHNJ1ibp348P.batFilesize
199B
MD5d34b7c60e476ed4a56c6e4b22fc422de
SHA1967dac171e1badf0187dd2a19dec7dd48480386b
SHA256f809adaf1dc0ae4fc313e3571925ebac6621a07e2f3b9310013636e2804e4c5d
SHA5129003e54a1de5da0079403afe749876773ba25409ff776dd423cb4170c1fb4046be137bb4229645253709c5656e125200ab843da017fca72a150952b864bf2f2a
-
C:\Users\Admin\AppData\Local\Temp\JhWfCWRCXS1j.batFilesize
199B
MD5c7e86643aa507b1c40cd59e0f264b578
SHA18a29d41b15e4bbb25d9e954e2a998f9c27bd9a33
SHA2568aa4ef5fd3060f59757c5d490043f3c2a995a76eb3c152060b71cfb67513df4f
SHA512158cf8cbe609f6bc76520d0b170e8ce991b22ff523c1095fbc4b3cc4f15d32df2def564046473a2cf38c9fa746d5fd66490ef4212c5ef74e5fb6f58d349f539f
-
C:\Users\Admin\AppData\Local\Temp\Ku0uRusxxzLD.batFilesize
199B
MD50106d8a5518c2a5f9f4e670c3c66d338
SHA1245a4e50549b81686969b02e7219c096d46f07fb
SHA256d3a7d81756e71e6924a870dacc307b3701bc52026fedbb1d0542a6ecb9fb141f
SHA51274205700b3334a3b65d534fad7f542c8dba783eb81cb921167634b9c69f7aa275979d4f5123a30c72c53b23865c9b84f768a9b45b7a90cbd8774d1e2e118aad2
-
C:\Users\Admin\AppData\Local\Temp\RF4ZO4U1Bdd4.batFilesize
199B
MD5dc70ee7303c79bd2f5da66b5b217025c
SHA1a83682a53ab6c150ed85fcc61dece3bee3944c94
SHA25668cb95c75134319b675cbe2a66a6f9e48a2777e904ccbf46bb6e1c04b8dfb6a1
SHA512a4d5956ff2f8bae273ecfc673e4d7461da1ffda6c618693c1ba42fb32023ae0462b9e122bc015c1f3ac4fb524a400f60761500b8f73df57bcde1ab1b33c0c595
-
C:\Users\Admin\AppData\Local\Temp\RmyBg5OA9pqr.batFilesize
199B
MD5fc1cd6b784eaeeb684d086dee4aa253c
SHA171ea8d1ec6be5844075bc86cc0484e073ef2cf67
SHA256f16c1cb26650da6dfec610d251ad433a9fe28fe4ea55221b8b5c349a210348f6
SHA512a6c63537d1509ec5e5ddd47943fcd14744a1dad5263447ddf4f70fdefc8c6187aef300c23ee8825e3ef4df89ab897db8f9b7fe79fbe8919659ede0597a86dd4c
-
C:\Users\Admin\AppData\Local\Temp\SqMByihvmVnP.batFilesize
199B
MD557ad4a2bbd6aa6321ea591e261d0960b
SHA13bb29f07b8908299a1eefbace99904f1295b501b
SHA256c33aa9e1da75bec0aeef1af94c91439851e30ee937e8697fc2982c5781f5bced
SHA5124fc3f771d52008577fa2624e7f712228ba92794de287fbf451ac064cf62cdd850a591a957493a1d1483b96ff4d309bb42d59d626115e4dfff7cffddfeb178a11
-
C:\Users\Admin\AppData\Local\Temp\T6bdw1iZbDU3.batFilesize
199B
MD5803e98035196e2d87f85b6f3b473b7c1
SHA11727317af4bccad2c07a3bda157ddb35c0c43b4d
SHA2561225211f583e1836b9d0b7060815c2124ee9984eb7ed6f7cb0a423490cd63a8f
SHA5125ffaafa04d2e4164ed9c5ac023fd2c9514b2db38967bf07371cf8f902f8224a20a8962f931041dc2ebee10e3806e729abb7ea4b735a2b5c8cee9c3b04948d92c
-
C:\Users\Admin\AppData\Local\Temp\UsHXPefbcMFX.batFilesize
199B
MD5d8e8eba0aa3bef9367acad0096ae3bd6
SHA1eb8f79b8b8e731c4346e325b03dd56e40554bfbd
SHA25628bb9c7c3a6b80a594f22f4b73da6e8b437229d17ede7937f76c8052a6c8896b
SHA512bd710451b9791eeebf4da575e54fffd92749c95b29298d7aead898957f7969f8dddcc9a6c2787a1bc776fe925507e129097e0a5ebcc5c46ec3ddddbd831d4900
-
C:\Users\Admin\AppData\Local\Temp\aMpELHOEHWfZ.batFilesize
199B
MD5197a76677f3b9d507bfed0d331bcbe70
SHA15e58345ae10bc330591921e0833de5f113fb491e
SHA256ac700111c48bf3358e7fef0a112199bbb6100ed6c4ce59b43f6201d4fb25e049
SHA51212f715c7c53912e47be19b3470fd9c8bccde765d7b3792cd51d0e39a72e0130cee2a5d9579d9484a553c3343558ea1a9a10a0d750e680a37c0b2e00de7199a3e
-
C:\Users\Admin\AppData\Local\Temp\bovTrPTikkeZ.batFilesize
199B
MD52d9de91395be016a1cfad7ae78c9c025
SHA1a54787244a3d11f247c03f2be6fba29fdac55744
SHA256b45ba6683339925278c22e70cbdf15280b3abd1a474fa7e4d517f5da0066cdcd
SHA51268a6d61b0b8b4b440deea5cbf91dbd0a504570808db4621eddad5f1bc2c0e8e7cdbeacb5bbfedec3d0472344b6ff3450b0756da84914ed324785c4c8423fc565
-
C:\Users\Admin\AppData\Local\Temp\cQfyaqfAmInH.batFilesize
199B
MD5e50d74e20423e8e01e9c4b4e56998baa
SHA147e2a4ba8f1e4566d3859294c74850a84393f1d9
SHA2569df71a55d466c4d36a221663d4374906341ae26a25139881d2f8808c2d715504
SHA51210f17b461d2a07f888af28f639d6f3d93e07f78f8b5377baec383a93181ac6e932122840a333794370376dbe14577faf1f8cf7aa8f3254cd0269c60e8026b335
-
C:\Users\Admin\AppData\Local\Temp\fbrpqeUALMFC.batFilesize
199B
MD5603d8b718f69a15f9f7e37c6870d3ecc
SHA1aa6530004ab214bd69a1c617782338ad4f1362ae
SHA25641a8605dd057bf402b0fb47b786e1ed88dbeddec4a06cc3ff0f2fdd11dd1d8d7
SHA512fa983c208a98868d3478793e7ecb0b9204a6ec7c380e41d7afda3ede906f98c097ed86f6450ae3bcc87138c2040ec3274dcdb3e5ef92a96dae5c0b220ac74290
-
C:\Users\Admin\AppData\Local\Temp\go4wxzMQR1ZD.batFilesize
199B
MD5fab44b62e8f7f5acce4d99f24010f2e6
SHA176a76d42db42725c6178f3b8208e774eac07c1da
SHA25645185528b3ca6e7945075a087386cdfc85f650319e20dd491ea09af8f83558a2
SHA5121aa70147eecb16b4b961ecb93391260ee13fd22384857d50ddf97eb40fb109e1bb76ad0f76572a3e6ae0770cbbd9ba7a771fe3457c482c2d58faedf37669fbeb
-
C:\Users\Admin\AppData\Local\Temp\grtjy5x2xeET.batFilesize
199B
MD5fbef5910311bef7349f3aeb6a0748048
SHA15514294a583b72179cf7e874ceb2b387d2bfe3d1
SHA256ae905e7e71ce590c407677807b0aaf6582007d2097b677c6832dd934c360b5fe
SHA512bf81356d2ada60d40d8f9434b26f2a54e8d259afcf8a5c4c4d6f3cf90566538d441d96103b1d07ae53f65ad3d348d10238e7e19fd3ce510760365640584917cb
-
C:\Users\Admin\AppData\Local\Temp\hqiWikAmQ5zo.batFilesize
199B
MD5f7dbd8c5b237cc29a11119d400942782
SHA1f5b20b295b89d960654967b704ad1839d6f92669
SHA2560119dba0f11c64c02a76bcac2adf5c1e73f5b5c1c5fc73a90685b5b5ff23a963
SHA512be8a0fe877fa24f352f069ba3b8b9a97973c32c5d0c70efd129d9f870cb5c486cc6f5ae1d17ca73cc58d4ace6fb8c7ca2818531effb45b1d630800a9a76199ef
-
C:\Users\Admin\AppData\Local\Temp\iMQV3SO8OSQj.batFilesize
199B
MD5223203bd28569cb20d0244631b7de870
SHA1c309d91cdcfc13d1c8ca933c77637647c3f26a72
SHA256f2fe8e87713c83b1f4df2bf1705bbd19961a741890f2ef024a31423b1e6ff806
SHA512103d778254431ca97a75fd3b04e439d4d744913b524730a71575e0f4a5473090c8913fc81b700355639025a1de0ed4951369941f5afee9ad03b92e545c9ab0d5
-
C:\Users\Admin\AppData\Local\Temp\n1G9WYM7Vybg.batFilesize
199B
MD54b22800d10e64aff959d83186aa933cd
SHA153f518f229462c1aa3d56e0c7899e33a1bfcd193
SHA256d1bd6ec9b5744cd45ed72cef86c24e8b453b468a9f37b703bebaa6fbceccd1ac
SHA512f506c9efec7c7329c38753250efc9921e90b28d82f4215cda2957526c538b05529b44375c0be004b10c4ccaeaffe410b10560c0fd5c597078421c573f130f1b7
-
C:\Users\Admin\AppData\Local\Temp\qMom6kreZ7rd.batFilesize
199B
MD57feed49d6276b4817bb77bdf1925bb02
SHA1266e1cc2254083d157121729cb9b97721c5546a9
SHA2569aa57b8f9fd3b820183f41569f8845a5c54412f5bc6bbc306ad6fd6d43bc2fa3
SHA512e67d435b5b4a43752469e70be85e749cb4d1dcb361548ca02587c34235e88560b6f1bcbdacd44d6fe610b78fc9e996e3ccede3718078d403f2ef571ff102d2b2
-
C:\Users\Admin\AppData\Local\Temp\t3RmombxiHxi.batFilesize
199B
MD51274f6839fd56eb8bbe1ebc7b4692f44
SHA16fae98e5972259b8dc20941af1d6f1e5e4b92ab9
SHA25623f1d8ced1a3bc7bcbcec2c9461240191b69de784c66e061c9c0a9d0e5a188a7
SHA512448de3a780ece9eca23f1bf232ed7cc095f2a4f09c618784408bee8d1881fec4b624ceafc3691f2df20fa02c7eb20b9dd406f65c39c5e5dc4e462cfce014d71c
-
C:\Users\Admin\AppData\Local\Temp\v7sPxfCGtP3E.batFilesize
199B
MD5b962b5cea9887b5207648e779516c3aa
SHA1166d51547d1dcdf3a42b9aa487c2c5651cd162d1
SHA2564ecd2aa4ec11c1ab9e5696d73784975dcd891c29bb301c89db4e35bc82a6752d
SHA512e41a07da82b7642170d0c20eb15798022e7810150497d28f16c5084e29ef075a01fa66fb7bd7feb601d3a8d49a2030112ad5341eeb67ee4cf6ceb2984c59c789
-
C:\Users\Admin\AppData\Local\Temp\vr38kIKgT17Z.batFilesize
199B
MD5782f3d5ee8030d5fe3aa3e5fd6db2369
SHA1b7aabde1a716a08ac7f8f03668a6411604c4b183
SHA2566fdc5990778fe05105d18f8355866e82d31e1e5f871a3a3e0ab4144a08b9de1d
SHA512a520de089eab857f9834c2928061efadfeafbfe8743f291f03b4b271756f810698a9c0dbcf297d6044ee61a08f99d95fcbd70d152a08df4beb82af9a86c872bb
-
C:\Users\Admin\AppData\Local\Temp\xCJ5X62jMXFV.batFilesize
199B
MD5dd2f8cf6b14adcf72b5fa920e7aea058
SHA14edb430436f873ae856866eacf52ae6d83ccf4f3
SHA256ca305b7314cf36e13e1e92c760c42d6541c411a9aaa090cad59f67eb4b7c40fe
SHA512c4a73ef6503bb31e06a2771c76ec397e4c725a276cd50ed37b564489399d92b3ee13f53a7ce0a27dbe76f4364fc4285281e02ed4b870a1c7076cc26bda68f670
-
memory/644-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmpFilesize
8KB
-
memory/644-9-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/644-2-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/644-1-0x0000000000240000-0x0000000000564000-memory.dmpFilesize
3.1MB
-
memory/1692-12-0x000000001D990000-0x000000001D9E0000-memory.dmpFilesize
320KB
-
memory/1692-13-0x000000001DAA0000-0x000000001DB52000-memory.dmpFilesize
712KB
-
memory/1692-18-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/1692-11-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/1692-10-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB