Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 20:41
General
-
Target
twojamatkat-built.exe
-
Size
3.1MB
-
MD5
27dad1cf69f9cb558f4d975c8bf34faa
-
SHA1
ea7beaa366b83b6e8410b10cdf055d08df49c907
-
SHA256
910222c58e9a584fe4015ef10462470b320b624d7b56056b3ffcf7ea2f479b80
-
SHA512
5f2251f3b017ee9103416928d23d179de716f84d21c287b441d05130b8102df9b8fe616a46a15e62ad524f27b99beb755949ab0d79c1ef9d77b25eb079076c1a
-
SSDEEP
49152:Xv+e821/aQWl8P0lSk3aKA3Z+ndBxNESEzk/iNLoGdWLTHHB72eh2NT:Xv9821/aQWl8P0lSk3DA3Z+nbxmF
Malware Config
Extracted
quasar
1.4.1
Office04
performance-ha.gl.at.ply.gg:33365
performance-ha.gl.at.ply.gg:13678
ba5220e2-c4e8-4381-aad8-a85115ef955e
-
encryption_key
67C139F3E9A16FF8132A3DCF42197B8BA3C38609
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3860-1-0x00000000004D0000-0x00000000007F4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 10 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1928 Client.exe 3264 Client.exe 2104 Client.exe 2460 Client.exe 3864 Client.exe 2568 Client.exe 4496 Client.exe 3836 Client.exe 4792 Client.exe 4652 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 9 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1896 PING.EXE 2328 PING.EXE 2040 PING.EXE 3704 PING.EXE 4664 PING.EXE 2704 PING.EXE 4876 PING.EXE 1940 PING.EXE 3356 PING.EXE -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
twojamatkat-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 3860 twojamatkat-built.exe Token: SeDebugPrivilege 1928 Client.exe Token: SeDebugPrivilege 3264 Client.exe Token: SeDebugPrivilege 2104 Client.exe Token: SeDebugPrivilege 2460 Client.exe Token: SeDebugPrivilege 3864 Client.exe Token: SeDebugPrivilege 2568 Client.exe Token: SeDebugPrivilege 4496 Client.exe Token: SeDebugPrivilege 3836 Client.exe Token: SeDebugPrivilege 4792 Client.exe Token: SeDebugPrivilege 4652 Client.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1928 Client.exe 3264 Client.exe 2104 Client.exe 2460 Client.exe 3864 Client.exe 2568 Client.exe 4496 Client.exe 3836 Client.exe 4792 Client.exe 4652 Client.exe -
Suspicious use of SendNotifyMessage 10 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1928 Client.exe 3264 Client.exe 2104 Client.exe 2460 Client.exe 3864 Client.exe 2568 Client.exe 4496 Client.exe 3836 Client.exe 4792 Client.exe 4652 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
twojamatkat-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exedescription pid process target process PID 3860 wrote to memory of 1928 3860 twojamatkat-built.exe Client.exe PID 3860 wrote to memory of 1928 3860 twojamatkat-built.exe Client.exe PID 1928 wrote to memory of 4056 1928 Client.exe cmd.exe PID 1928 wrote to memory of 4056 1928 Client.exe cmd.exe PID 4056 wrote to memory of 2436 4056 cmd.exe chcp.com PID 4056 wrote to memory of 2436 4056 cmd.exe chcp.com PID 4056 wrote to memory of 1896 4056 cmd.exe PING.EXE PID 4056 wrote to memory of 1896 4056 cmd.exe PING.EXE PID 4056 wrote to memory of 3264 4056 cmd.exe Client.exe PID 4056 wrote to memory of 3264 4056 cmd.exe Client.exe PID 3264 wrote to memory of 4428 3264 Client.exe cmd.exe PID 3264 wrote to memory of 4428 3264 Client.exe cmd.exe PID 4428 wrote to memory of 2696 4428 cmd.exe chcp.com PID 4428 wrote to memory of 2696 4428 cmd.exe chcp.com PID 4428 wrote to memory of 2704 4428 cmd.exe PING.EXE PID 4428 wrote to memory of 2704 4428 cmd.exe PING.EXE PID 4428 wrote to memory of 2104 4428 cmd.exe Client.exe PID 4428 wrote to memory of 2104 4428 cmd.exe Client.exe PID 2104 wrote to memory of 452 2104 Client.exe cmd.exe PID 2104 wrote to memory of 452 2104 Client.exe cmd.exe PID 452 wrote to memory of 916 452 cmd.exe chcp.com PID 452 wrote to memory of 916 452 cmd.exe chcp.com PID 452 wrote to memory of 2328 452 cmd.exe PING.EXE PID 452 wrote to memory of 2328 452 cmd.exe PING.EXE PID 452 wrote to memory of 2460 452 cmd.exe Client.exe PID 452 wrote to memory of 2460 452 cmd.exe Client.exe PID 2460 wrote to memory of 1044 2460 Client.exe cmd.exe PID 2460 wrote to memory of 1044 2460 Client.exe cmd.exe PID 1044 wrote to memory of 3732 1044 cmd.exe chcp.com PID 1044 wrote to memory of 3732 1044 cmd.exe chcp.com PID 1044 wrote to memory of 4876 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 4876 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 3864 1044 cmd.exe Client.exe PID 1044 wrote to memory of 3864 1044 cmd.exe Client.exe PID 3864 wrote to memory of 2308 3864 Client.exe cmd.exe PID 3864 wrote to memory of 2308 3864 Client.exe cmd.exe PID 2308 wrote to memory of 2868 2308 cmd.exe chcp.com PID 2308 wrote to memory of 2868 2308 cmd.exe chcp.com PID 2308 wrote to memory of 1940 2308 cmd.exe PING.EXE PID 2308 wrote to memory of 1940 2308 cmd.exe PING.EXE PID 2308 wrote to memory of 2568 2308 cmd.exe Client.exe PID 2308 wrote to memory of 2568 2308 cmd.exe Client.exe PID 2568 wrote to memory of 2380 2568 Client.exe cmd.exe PID 2568 wrote to memory of 2380 2568 Client.exe cmd.exe PID 2380 wrote to memory of 4940 2380 cmd.exe chcp.com PID 2380 wrote to memory of 4940 2380 cmd.exe chcp.com PID 2380 wrote to memory of 2040 2380 cmd.exe PING.EXE PID 2380 wrote to memory of 2040 2380 cmd.exe PING.EXE PID 2380 wrote to memory of 4496 2380 cmd.exe Client.exe PID 2380 wrote to memory of 4496 2380 cmd.exe Client.exe PID 4496 wrote to memory of 1116 4496 Client.exe cmd.exe PID 4496 wrote to memory of 1116 4496 Client.exe cmd.exe PID 1116 wrote to memory of 4316 1116 cmd.exe chcp.com PID 1116 wrote to memory of 4316 1116 cmd.exe chcp.com PID 1116 wrote to memory of 3704 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 3704 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 3836 1116 cmd.exe Client.exe PID 1116 wrote to memory of 3836 1116 cmd.exe Client.exe PID 3836 wrote to memory of 560 3836 Client.exe cmd.exe PID 3836 wrote to memory of 560 3836 Client.exe cmd.exe PID 560 wrote to memory of 2024 560 cmd.exe chcp.com PID 560 wrote to memory of 2024 560 cmd.exe chcp.com PID 560 wrote to memory of 3356 560 cmd.exe PING.EXE PID 560 wrote to memory of 3356 560 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\twojamatkat-built.exe"C:\Users\Admin\AppData\Local\Temp\twojamatkat-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P7TZJuKrYWHQ.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65OswQAKZC4A.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQii8SRd8rmc.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyYgZ6bb1h7u.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IPHtFtAEok1A.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\datgLpV5rjdI.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sS0zbHsBByJN.bat" "15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkbYDcTEPlwY.bat" "17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiwRbPgeLbhY.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Temp\65OswQAKZC4A.batFilesize
207B
MD5884aeaea3c507b73a7e35a1ead65f83e
SHA1e1227e0a137cee05f1ed8b3e6926ab7bfc775c88
SHA256167206624fb4c7c74ea39ed9d8ba4835eebe6bbe200535f7f57a130dcdea7fdd
SHA5125868be9cf0557585196c6d1a625bfcf36fabbee07d494489b57cf25c193df4bf3d68bb22cff460c3de738a8bd40b17ffdeec584bb81a7e929530b57177ed4d8a
-
C:\Users\Admin\AppData\Local\Temp\IPHtFtAEok1A.batFilesize
207B
MD52659b2da1ac7c84f5bff8bec3a84a503
SHA1f5c1f731678e734d6a174b38524f4bb3e65be8f1
SHA25667be6a4af035a8907fadfd14dcf6280f98112e2b405ffb2f68c6393abc915191
SHA5128f3a579f1675e0327af3492c8d34c1219a663e2a8359be90635a4481aa1ec8fc42306d2107fca9d87a6e5d0138f321873565efca48afffeb0d3607b68e5469b1
-
C:\Users\Admin\AppData\Local\Temp\NkbYDcTEPlwY.batFilesize
207B
MD535d22b387602dca675de670b266f954f
SHA1257b8c0ab0cbacaa956013f3011febd72d68b7e7
SHA2560300fa11dae8522e4dc9e3257d41e17a5ad47e1c0db84bdb9c3452487e61fa3e
SHA51231f60b7eadf2d6e4bb7f5a36075084f7ab43d6d0c1d0014814525b67ab50a131c57e6f5bc8e6b67b1b63e1dda83276a47274808f43e782a1571ced3ea3359570
-
C:\Users\Admin\AppData\Local\Temp\P7TZJuKrYWHQ.batFilesize
207B
MD5e81e7d725d2a62958c6135225cc86191
SHA1581395b80b23457f80e544bf1c81c10b605b0a6a
SHA25668df811613b27761d3ccfb84618f506839f3a6adb766c9c50694c1198b126f69
SHA512b557b34f621137ff9332d9d3b41c28762a786db1fc1e5cc703ff5f05f52ac2c568946971bbcfd01a957b47bc7fc42b0a2368d489d635115753b2f3ff6fb72700
-
C:\Users\Admin\AppData\Local\Temp\datgLpV5rjdI.batFilesize
207B
MD58e030c2d713da6811a84c86eb3fecc90
SHA1e8e6ae34cea59928bf621fadc44df3da1deca76d
SHA25673baffbac66225bed874c6a8f1e93b10f9cc8140a2ff69cdaf8e60d417693549
SHA512e791159f53240b5dd1959ded27e74093a871d18a82cbf5c2ca341adab25033e65a40c7878d99659d9cfb5597aad3267d851e75d071c64738188f373d2172cc55
-
C:\Users\Admin\AppData\Local\Temp\hiwRbPgeLbhY.batFilesize
207B
MD51b16d6677acb41f90feccdf8caf0df0b
SHA1f1468ff21f6e4c55ddea27d9fb0ff85ff2446494
SHA2565d3936bfda4c49b19cfb6ad3e5a2dd7e077d57e330a19c774c6228fbbf989212
SHA512d9a6a6b79c78b967bf3526091c3da29878927134abddc964a5ca0462022c977f58202c1b32ecca7163c6f5c8552c983515a6230ac80dfa6d86ec61e285ac1828
-
C:\Users\Admin\AppData\Local\Temp\iQii8SRd8rmc.batFilesize
207B
MD5ea095484450aa00a24fb68c5cc0bd809
SHA101d2ed0d001dc41b47a2744831c207be661e408d
SHA2561e7784a27697ab989cf430357614a22eb447ce5d2f281e5bf5382c671354f43e
SHA51239a5045736be3af28e8320277eb8c2d665b45e9bb7ed6eafe997d3c4306bac9f40793ae6ff7d65cba369b9937f92533b8ed948f0f1831af671006e01b9cb701f
-
C:\Users\Admin\AppData\Local\Temp\pyYgZ6bb1h7u.batFilesize
207B
MD53052cfad6afff2dd7093902634b88b41
SHA10c41c8cf8390e47d8c8ee005bf0a4a08ee1b0e3e
SHA2568f0c4b9c875b270071f160b10e9981e430d71d304975aeaed8606fb61b097adf
SHA5121b8bde67996b3771c2eff29837c2492b1e00c1eaad7b99b05cc248a455e60d101006d6dc7b6fe62526593024747ee4048bda63ab70b2c4ab67c7ff8e94ceab7f
-
C:\Users\Admin\AppData\Local\Temp\sS0zbHsBByJN.batFilesize
207B
MD5e10d03ec78fdf3f698b51c74be8c2ba4
SHA167bfba45d4453fa61d706c029b7601f4be041ca4
SHA256c463fc9db0d9c90bcd0b3a55073fdaf0a8e89acb470022db57b93186f76bc51c
SHA51254d45442eddbb51df3b3fea14c64db8f8728f8bbdd1edf70f856b34cba5057f803fe9a2750e08c2ed15f8aacf9546743729b092e39455f09aa33096dfbe148c8
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD527dad1cf69f9cb558f4d975c8bf34faa
SHA1ea7beaa366b83b6e8410b10cdf055d08df49c907
SHA256910222c58e9a584fe4015ef10462470b320b624d7b56056b3ffcf7ea2f479b80
SHA5125f2251f3b017ee9103416928d23d179de716f84d21c287b441d05130b8102df9b8fe616a46a15e62ad524f27b99beb755949ab0d79c1ef9d77b25eb079076c1a
-
memory/1928-12-0x000000001E200000-0x000000001E2B2000-memory.dmpFilesize
712KB
-
memory/1928-8-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/1928-17-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/1928-11-0x000000001E0F0000-0x000000001E140000-memory.dmpFilesize
320KB
-
memory/1928-10-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/3860-0-0x00007FFF98773000-0x00007FFF98775000-memory.dmpFilesize
8KB
-
memory/3860-2-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/3860-9-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/3860-1-0x00000000004D0000-0x00000000007F4000-memory.dmpFilesize
3.1MB