quasar | 2e1e9dc2fa7ba5b2c74933c6d6d7a1ba9c131e8ac53bddf816ab45a24b30f2c9

Analysis

max time kernel
898s
max time network
552s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
19/04/2025, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RUN_ME.bat
Size

5KB
MD5

d0fb2b898127e72c285d6478c0989d69
SHA1

021ed2c902029ed393052e42351086db991c3ebd
SHA256

2e1e9dc2fa7ba5b2c74933c6d6d7a1ba9c131e8ac53bddf816ab45a24b30f2c9
SHA512

e8dfcf4dd115d187a2c2e3e8b59865d51bcbfb53f1de9906ae893ceb7d3bd2576f43f16ac974d7af371e4cd525f80038c1f7cdd0206f9cc0c17e73dba9c535f4
SSDEEP

96:/XqD95VsQtOJQR1a+MKTADqW7ymLElrbefZ0NdSD4+q0:/XqD/V0QR1a+MYADqW2mLcbef6S8K

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
5000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000028268-78.dat	family_quasar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	3768	powershell.exe
10	3768	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
10	3768	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\Control Panel\International\Geo\Nation	Pulsar.exe

Executes dropped EXE 4 IoCs

pid	Process
4660	Pulsar.exe
5800	Client-built.exe
5240	Client-built.exe
3408	Client-built.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3768	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	Client-built.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Client-built.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000008a5a788112004170704461746100400009000400efbe8a5a7881935a22ab2e000000ff0501000000020000000000000000000000000000003ad9a5004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Pulsar.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "4"	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Pulsar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Pulsar.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Pulsar.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Pulsar.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Pulsar.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 5600310000000000935a23ab1000526f616d696e6700400009000400efbe8a5a7881935a24ab2e00000000060100000002000000000000000000000000000000ba8f190152006f0061006d0069006e006700000016000000	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Pulsar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 5600310000000000935a23ab1000526f616d696e6700400009000400efbe8a5a7881935a24ab2e00000000060100000002000000000000000000000000000000ba8f190152006f0061006d0069006e006700000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "726"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "126"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Pulsar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 5400310000000000935a34ab100050756c73617200003e0009000400efbe935a23ab935a34ab2e0000006682020000000800000000000000000000000000000018793001500075006c00730061007200000016000000	Pulsar.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000008a5adb88100041646d696e003c0009000400efbe8a5a7881935a22ab2e000000f4050100000002000000000000000000000000000000cbafa900410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 820074001c004346534616003100000000008a5a7881120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe8a5a7881935a22ab2e000000ff0501000000020000000000000000000000000000003ad9a5004100700070004400610074006100000042000000	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Pulsar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Pulsar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Pulsar.exe
Key created	\REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4856	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
5800	Client-built.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
5240	Client-built.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
3408	Client-built.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4660	Pulsar.exe
4856	explorer.exe
964	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	5800	Client-built.exe
Token: SeDebugPrivilege	964	taskmgr.exe
Token: SeSystemProfilePrivilege	964	taskmgr.exe
Token: SeCreateGlobalPrivilege	964	taskmgr.exe
Token: SeDebugPrivilege	5240	Client-built.exe
Token: SeDebugPrivilege	3408	Client-built.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4660	Pulsar.exe
4660	Pulsar.exe
4856	explorer.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4660	Pulsar.exe
4660	Pulsar.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4856	explorer.exe
4856	explorer.exe
4660	Pulsar.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5568 wrote to memory of 3768	5568	cmd.exe	82
PID 5568 wrote to memory of 3768	5568	cmd.exe	82
PID 3768 wrote to memory of 4660	3768	powershell.exe	87
PID 3768 wrote to memory of 4660	3768	powershell.exe	87
PID 4660 wrote to memory of 4540	4660	Pulsar.exe	92
PID 4660 wrote to memory of 4540	4660	Pulsar.exe	92
PID 4660 wrote to memory of 4016	4660	Pulsar.exe	95
PID 4660 wrote to memory of 4016	4660	Pulsar.exe	95
PID 4016 wrote to memory of 1660	4016	csc.exe	97
PID 4016 wrote to memory of 1660	4016	csc.exe	97
PID 4856 wrote to memory of 5800	4856	explorer.exe	99
PID 4856 wrote to memory of 5800	4856	explorer.exe	99
PID 4856 wrote to memory of 5240	4856	explorer.exe	102
PID 4856 wrote to memory of 5240	4856	explorer.exe	102
PID 4856 wrote to memory of 3408	4856	explorer.exe	103
PID 4856 wrote to memory of 3408	4856	explorer.exe	103

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RUN_ME.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "iex ((Get-Content 'C:\Users\Admin\AppData\Local\Temp\RUN_ME.bat') -join [Environment]::Newline); iex 'main '"
  2⤵
  - Blocklisted process makes network request
  - Downloads MZ/PE file
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Users\Admin\AppData\Roaming\Pulsar\Pulsar.exe
    "C:\Users\Admin\AppData\Roaming\Pulsar\Pulsar.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" /select, "C:\Users\Admin\AppData\Roaming\Pulsar\Pulsar.p12"
      4⤵
      PID:4540
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xe4kzlbc\xe4kzlbc.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F89.tmp" "c:\Users\Admin\AppData\Roaming\Pulsar\CSC7E4DD206703F43818C8367B36C185023.TMP"
        5⤵
        
        PID:1660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5800
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5240
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3848

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:964

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8F89.tmp

Filesize
1KB

MD5
55559259ef6172effa6ab806b81fb154

SHA1
feab4f47cbccf950ca9108b53278df9bc78d0009

SHA256
40b2c69cb889064eaf93b74bc754feb9a3b2db80382f3a633e0b788b7d5a9c00

SHA512
d862ad3af6839fe441eb4110d4315a20a4dfcaa5cf81f3fe5aeec1e6ae9f2dd7f6a1b503bb03c407e2d535551d06bfdc4862d8f15a8076cecd6970d504c87cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hyzsu34w.epf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4260291853-3905407524-539084913-1000\ffdbfd573f1cd5991d8e59089210bd71_3b79e808-a9c3-4751-938e-a5cd9a564a03

Filesize
3KB

MD5
ed4b10b6f15a89426b5ed8b3b4e03dda

SHA1
c4ac36c85b848bf0659bff24ba27ef7b4c74de7e

SHA256
a16ddabc4d8dd28d468c3ff9678fade9429b12d8bdd9341f18f57f60b3eac707

SHA512
53d551890dd6f51a8e8208009dbe83726a47332909a8850ed690d6cd27d6938029910b0c2f2ef1e0bb337af5032096f4e8f4e4a733afaf54d7f7f4e5359cacdd

Download Submit
C:\Users\Admin\AppData\Roaming\Pulsar\Profiles\Default.xml

Filesize
256B

MD5
0e0fab218279ddbd93e4baff51e652ab

SHA1
a59ba43a9a9bcff9efc9af14dc79c01da1e4fee9

SHA256
557193611480bae3f2ea0491aacc4ceef8b93a91cf85e335594fcc11f76013f1

SHA512
95d9d0490821d05d0673f76f39d21d5ad2b3fc36c3e2604a6ff112440522503e4cf2a2e0bf4e9afa2cd3e11354970d8fcba5c7245cb563f317eda915e23c1b5e

Download Submit
C:\Users\Admin\AppData\Roaming\Pulsar\Profiles\Default.xml

Filesize
965B

MD5
429d92c12eb92477403c6e8d7643c8f8

SHA1
bfcf57d9c43bf69fec955f962427610a82173d1c

SHA256
ad4b41e02f607fa43400cc99457863186c575781742bcf79b48b622b97d72f0d

SHA512
1a619ae582a435299a88b9252107fbfc2e428473af912cdcdfb34b82a6eefa92fd641d2322fa44853e403b98f7f33d05ba39288c86551e55655ceda2fb09de2e

Download Submit
C:\Users\Admin\AppData\Roaming\Pulsar\Profiles\Default.xml

Filesize
1000B

MD5
119ff148c1dd99c2d2db1b7c4ec9303d

SHA1
f46f4d954e42e12338051d744a99fbf2e3f3f89e

SHA256
cb9dd4b9223e328520a1c6527bc648f58e9bd6cab5703bc3bb4b70d7004d5ffa

SHA512
fd6c550fdde044177f70a65abc205faf2a99aaa213224dd0178901e2d34e64099c2a659f97c69ac040f58a29c914c53ae32bf5cc1ad807aa5918902bfe9e7e1a

Download Submit
C:\Users\Admin\AppData\Roaming\Pulsar\Pulsar.exe

Filesize
5.2MB

MD5
0274629d862fb065ecc7d90b48ec4259

SHA1
273513efef0806e045df3ed1f07f3ace880f9162

SHA256
84dd1924dbbcd76bccceb5c7c1315ee881db60444e0bfacc4fa56fab90f8bbe2

SHA512
10f60061739738563b49373a3d1faa7e157891e76227e8ce01ea3abbea11b848acfb543f21702d94bfa0f8a3a949a5df841fb3b8f21f18794d629c2dc20b91ce

Download Submit
C:\Users\Admin\AppData\Roaming\Pulsar\Pulsar.p12

Filesize
4KB

MD5
3183c81cb48da400b668143206d1ab02

SHA1
7c31f02be3c65b29e4121552451c545d0d356379

SHA256
99b039a37676f8433ab7f3c03352fdcd31b4c0fb5ad95c68d40d44fa5243dd52

SHA512
9c8dfbfe93e1db8a7b8716fba89d497d55c761be31717751b11bb4e762565eb062ed2479e4bd7f374d5a2722cb37d26954f343302174fc7045d3d17999238e2c

Download Submit
C:\Users\Admin\AppData\Roaming\Pulsar\client.bin

Filesize
1.5MB

MD5
015667f5caa51910369a642ca49d6387

SHA1
19904811cc3d746ccdea0d055f4fe4d0c9b24182

SHA256
93a0ae9059cad5f06258e1f22f1aed4d827c9504886ac7a971860f6c91724c16

SHA512
9d22a54f8d621f5d4446c8524ed007dd6df5a3ca6c2dddc4102fc1ed5875f88fde8e81c1b1e0d2643c439ed891123e4bb758854d723cd78bed513c595075d24a

Download Submit
C:\Users\Admin\AppData\Roaming\Pulsar\temploader.exe

Filesize
4KB

MD5
cfb32d781e7e8ce33345597522661fa7

SHA1
fd095e263d6a6a33202c7be19a6879e067a95965

SHA256
1bc124b1360c0b8814485afc714de64106c7f617c0ebcbf22e97dad5502d81cd

SHA512
55e120a69604002aefb2083a8caf317a8a2790e4626bbba1f944563e763d61eb729b02850a92ee83db9639f89de518e61e354d44e2bf1a72739081f90e487258

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
1.4MB

MD5
22fdbf6dc017d58aa82e5e152a838a67

SHA1
452e308c3be123f0dbc88f85a086db861b410bff

SHA256
9a42fd4ba34502608dcda2c3d32e59084f89856151a579fb66301ed1a72cb244

SHA512
c5148ae61359915d3e42da8fa0c7896bac3fa16c8c8bc289d4b3c0870af35116ccf80b6cf5e0785a2d8b4ec4ef0b38772cb50d4105e0444ec7dfd7705ab13d9a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xe4kzlbc\xe4kzlbc.0.cs

Filesize
670B

MD5
7bce4e00e5c6799ee02872ea55d27f57

SHA1
197fe2f361a8a78eea69fe9c756e3ec8d140f20a

SHA256
9e506b6e698c9b54fb4291f0c32f41d278eb891492daedc861f545e1270cf98a

SHA512
5c7982f2400517865c01df3e2f991ef2fb85a4ced3c335582a783e9302ecfc07d7acbd5955efc999a2b0729b431d0bc8a507736c54cbf402a4354153688e1904

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xe4kzlbc\xe4kzlbc.cmdline

Filesize
230B

MD5
a7f9e63fafcd4d02061d2237ebbab86f

SHA1
6c7f475c9aa4a791d209925901a301f7fbd9f2f7

SHA256
5baef58b3fa59c3c24cee42634e50bdfa749673a92b291b20e9c3fd10ec41b97

SHA512
47d0268d0641b522362ba3e8e4681741c984e14888af78330cf76699a2f060f9b6322a3785474642d317ade3f2ebfcb02b7c66add27211d9f9d193ef02a637b3

Download Submit
\??\c:\Users\Admin\AppData\Roaming\Pulsar\CSC7E4DD206703F43818C8367B36C185023.TMP

Filesize
1KB

MD5
c0226bce16e9df25dd6967c1a05c81a9

SHA1
5027e75c8aa9c1d7165406ebaaf6ba3f98a4ebba

SHA256
014523b1c5a461ceeaa742dcacbc29a6fc0d9d41cee2fa9eac7afc0cd3c96c77

SHA512
bae4557b6d5221e3011266ad5f2e3c4793308b7910ee07c50c4dfedc15149161f29e5fc6ae08ff39bed37fc59d11cb29a6afc53dce77ff5824e8b1fc5c4d58b8

Download Submit
memory/964-183-0x000002561A1A0000-0x000002561A1A1000-memory.dmp

Filesize
4KB

Download
memory/964-177-0x000002561A1A0000-0x000002561A1A1000-memory.dmp

Filesize
4KB

Download
memory/964-182-0x000002561A1A0000-0x000002561A1A1000-memory.dmp

Filesize
4KB

Download
memory/964-171-0x000002561A1A0000-0x000002561A1A1000-memory.dmp

Filesize
4KB

Download
memory/964-172-0x000002561A1A0000-0x000002561A1A1000-memory.dmp

Filesize
4KB

Download
memory/964-173-0x000002561A1A0000-0x000002561A1A1000-memory.dmp

Filesize
4KB

Download
memory/964-181-0x000002561A1A0000-0x000002561A1A1000-memory.dmp

Filesize
4KB

Download
memory/964-180-0x000002561A1A0000-0x000002561A1A1000-memory.dmp

Filesize
4KB

Download
memory/964-179-0x000002561A1A0000-0x000002561A1A1000-memory.dmp

Filesize
4KB

Download
memory/964-178-0x000002561A1A0000-0x000002561A1A1000-memory.dmp

Filesize
4KB

Download
memory/3768-36-0x00007FFF90050000-0x00007FFF90B12000-memory.dmp

Filesize
10.8MB

Download
memory/3768-0-0x00007FFF90053000-0x00007FFF90055000-memory.dmp

Filesize
8KB

Download
memory/3768-10-0x0000019AF42A0000-0x0000019AF42C2000-memory.dmp

Filesize
136KB

Download
memory/3768-11-0x00007FFF90050000-0x00007FFF90B12000-memory.dmp

Filesize
10.8MB

Download
memory/3768-12-0x00007FFF90050000-0x00007FFF90B12000-memory.dmp

Filesize
10.8MB

Download
memory/3768-13-0x00007FFF90050000-0x00007FFF90B12000-memory.dmp

Filesize
10.8MB

Download
memory/4660-76-0x0000019DD7090000-0x0000019DD70F0000-memory.dmp

Filesize
384KB

Download
memory/4660-35-0x0000019DD2C50000-0x0000019DD2C6A000-memory.dmp

Filesize
104KB

Download
memory/4660-75-0x0000019DD2FE0000-0x0000019DD302E000-memory.dmp

Filesize
312KB

Download
memory/4660-74-0x0000019DD5190000-0x0000019DD5240000-memory.dmp

Filesize
704KB

Download
memory/4660-73-0x0000019DD5250000-0x0000019DD5302000-memory.dmp

Filesize
712KB

Download
memory/4660-217-0x00007FFF90050000-0x00007FFF90B12000-memory.dmp

Filesize
10.8MB

Download
memory/4660-31-0x0000019DB3CB0000-0x0000019DB41E8000-memory.dmp

Filesize
5.2MB

Download
memory/4660-72-0x0000019DD3030000-0x0000019DD3080000-memory.dmp

Filesize
320KB

Download
memory/4660-71-0x0000019DD5070000-0x0000019DD5196000-memory.dmp

Filesize
1.1MB

Download
memory/4660-70-0x0000019DD2FC0000-0x0000019DD2FD8000-memory.dmp

Filesize
96KB

Download
memory/4660-39-0x00007FFF90050000-0x00007FFF90B12000-memory.dmp

Filesize
10.8MB

Download
memory/4660-38-0x00007FFF90050000-0x00007FFF90B12000-memory.dmp

Filesize
10.8MB

Download
memory/4660-37-0x0000019DD38B0000-0x0000019DD3BDE000-memory.dmp

Filesize
3.2MB

Download
memory/4660-77-0x0000019DD3890000-0x0000019DD38AA000-memory.dmp

Filesize
104KB

Download
memory/4660-34-0x00007FFF90050000-0x00007FFF90B12000-memory.dmp

Filesize
10.8MB

Download
memory/4660-33-0x0000019DB4610000-0x0000019DB462A000-memory.dmp

Filesize
104KB

Download
memory/4660-32-0x00007FFF90050000-0x00007FFF90B12000-memory.dmp

Filesize
10.8MB

Download
memory/5800-168-0x000000001B9C0000-0x000000001BBA0000-memory.dmp

Filesize
1.9MB

Download
memory/5800-167-0x0000000000B10000-0x0000000000C88000-memory.dmp

Filesize
1.5MB

Download