Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-06-2024 23:23
General
-
Target
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
-
Size
358KB
-
MD5
13ddb4c563aa5d65f2a9822d50e3b92f
-
SHA1
2e1ccddf584175c3bd62ac8d0173fdb6ae73ea10
-
SHA256
29b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9
-
SHA512
ad7f92b70e64b04c3dde1b9519d88c237c62dd74d6929e17e968ce6a969449fd79caa1dca658294234759d17d9f5545ebf6fec87f5aa0c45b469c7fd27598f96
-
SSDEEP
6144:rJqQ4i1FFiEKhtpoidubrUX5v7N/Vyfs5uI:Fpli3poidD5jN/sfs5uI
Malware Config
Extracted
quasar
1.3.0.0
Office04
almammory.hopto.org:1177
QSR_MUTEX_uvFpjg4C7Cxl60AUEGAUEGGMUTEOO
-
encryption_key
WVQm2WP2iovscPfuELDp
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 14 IoCs
-
Runs ping.exe 1 TTPs 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe"1⤵
- Quasar RAT
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSz1vPRe9SAV.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fjvGBYD5cKi5.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WodemfasJ53z.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWfZOPPSf635.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUubCgjN0crt.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asJCFfYfpjwa.bat" "13⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rx1aplvSWUIU.bat" "15⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cFlYsfrCVAXy.bat" "17⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8h228zPjeulx.bat" "19⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CtP2iBf4B6x4.bat" "21⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1TybY6RmBsP3.bat" "23⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500124⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HHg89w8uNLFM.bat" "25⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500126⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fw5aBBdrhkqe.bat" "27⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500128⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcV2DR7o1ARw.bat" "29⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500130⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost30⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 226829⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 168827⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 221225⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 222023⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 221621⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 224419⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 222017⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 224015⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 224413⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 221211⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 22249⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 22487⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 22125⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 22683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4624 -ip 46241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3080 -ip 30801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4300 -ip 43001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4600 -ip 46001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4152 -ip 41521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 224 -ip 2241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3760 -ip 37601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4412 -ip 44121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4480 -ip 44801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2960 -ip 29601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1060 -ip 10601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4136 -ip 41361⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SubDir\Client.exeFilesize
358KB
MD513ddb4c563aa5d65f2a9822d50e3b92f
SHA12e1ccddf584175c3bd62ac8d0173fdb6ae73ea10
SHA25629b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9
SHA512ad7f92b70e64b04c3dde1b9519d88c237c62dd74d6929e17e968ce6a969449fd79caa1dca658294234759d17d9f5545ebf6fec87f5aa0c45b469c7fd27598f96
-
C:\Users\Admin\AppData\Local\Temp\1TybY6RmBsP3.batFilesize
199B
MD5fefa2ff436541b116c91443b80625b8c
SHA1cc52017bbe800fe53dd759b382564d2b50a48934
SHA2563119870c9af5922ea32afcb09fe49530a1f93969bf1bea11c74c2a4fb58cc85d
SHA51212bea99d90165955ce4a0dd2239a8c94a46b591ae53f335ced07332b850ba4681f529fc5826ef54f257a96c94abf21e9de8ff680be51daa887b4a1a083111042
-
C:\Users\Admin\AppData\Local\Temp\8h228zPjeulx.batFilesize
199B
MD5d0f9a329627cca722b424f73d459fe0e
SHA1c38b8553e00ac4ec548296a6d459ced909302a14
SHA25664a028f21d2fdff1cb56fcacec3090cbde5624c853f014a5f9ddaf4e6aa49d69
SHA512906ae7dc92612aab0a869dd7ea497b3bd7726a60e57983dfba3ed2ba14e72096224dc580411fbfd0bf7bc46490e8cc205765ed122a1d35276834a964604903be
-
C:\Users\Admin\AppData\Local\Temp\CUubCgjN0crt.batFilesize
199B
MD53ce96b19b77a2d3737abd8e9871dbd97
SHA183ce9f21cf0aba8725df97f6111f9905d973d361
SHA25698fbb062e979cdc71872f550bce487d4044134201c5e1f17b03ccd2c980fbc1e
SHA5123606c9e83a60c93d15e07fbc816ad685c0fda8949c59baa9c428ebb852c6edf09f94cebd3cbd79f64916041befeeed1438eb38e6b191bf12a8fb39176589b813
-
C:\Users\Admin\AppData\Local\Temp\CtP2iBf4B6x4.batFilesize
199B
MD5af1ecb82b1d67b768ef30366e2ab60fd
SHA17b16a8a337b3cc9cfc11d2426578ccc13270d786
SHA256c4b381f7724b0dfbdc996b3de55f0318be15438413b534bbf944b99c06f2bd5f
SHA5127d24529c847ef034faba4255076e64f7e1293ee430b43a92002c2fcb372feef0ae66ab0670e109f6c23d09b0c1351a219af27ce9824dc740d2f93a5c7a1c4001
-
C:\Users\Admin\AppData\Local\Temp\DcV2DR7o1ARw.batFilesize
199B
MD530f347347acacdfa55e63dea09b81a94
SHA1446866b51bb47967d52f00d5fdf68934c571bf59
SHA2566faef9cdc770e8fa00034d116f5740f4b8ffafa170d96a9d5f560a24c7b9482c
SHA512f3417d56cbb5795b31e44e5c4e514a390cba950ced3b5f05511cb9f4c6dd060b2b74bccd053f0f0edbcb193cb0084ec8dece8475287cca18931cbe937f76117c
-
C:\Users\Admin\AppData\Local\Temp\Fw5aBBdrhkqe.batFilesize
199B
MD56ea5a6801982d5f29c3974e029cb4df7
SHA19ef55cc14f08adf546de5a976af5e4b35b7b190e
SHA25635bca3a329a8b79d2a347b67aa117d3068325290eef4329bb2a232d4244ad21f
SHA5125c60831e24f691938266ce0f95c80e703fa14508fdd3a9e2374dfd44ae08e2d94bcc14b02797980826603d3bb7c3c8e3aadcf7ce8c8d99136d60c04f53ee72b6
-
C:\Users\Admin\AppData\Local\Temp\HHg89w8uNLFM.batFilesize
199B
MD5d8fc846adfaeed91f1805b6eceae6dc2
SHA1b141ce74218c019cc67df701f3a10b6f9988b1c1
SHA256f67f2df7a3653204ea3d8796968f2bebd84ac077e8e3644b4ef4a1ec63476750
SHA5125f6b974a7c540d2ff97bb9d23e363046e2c861a9ffc41030d9ae2e42a16723b6b6d4de158278eec718403720fff737870c57b3ddb1094dbe50aa55003ee58918
-
C:\Users\Admin\AppData\Local\Temp\Rx1aplvSWUIU.batFilesize
199B
MD569c03d97839484099d442489d65a6269
SHA1bf522b0df75947142624ac638d1dc4fd52e48a01
SHA256f3d1574d03e894b1e459ef8bf74bed7576c58b79972c8c38d5140ec59ea92d59
SHA512ee5af8a532f4695d1f6f7a4c7752e307fa99f406ed5cd542aeb35cd818aaf58933369db9b8d247a8226f45c5d548d23a1e793d6c215b76ac24085698f911aa6a
-
C:\Users\Admin\AppData\Local\Temp\WodemfasJ53z.batFilesize
199B
MD55d31c04f7f7a43f63f66e316e315a75e
SHA187a10ed0dd72e484102a5a4cd44f27ac65bc9d33
SHA2560be94cb2308b5a1d4cc588496fbb29bb42f58d5d1a749f7fb9eb22174faa1c2b
SHA512d6d046d30b49b047547a4b1e3bb79456a671705d59ded1871d5cdedbe189d91bb3de7347e51e7b220e0d838d744ee6a9194212eff9100d4e727f83cfc2840182
-
C:\Users\Admin\AppData\Local\Temp\XSz1vPRe9SAV.batFilesize
199B
MD5ac86759fb939882d2c64bd6503e028d8
SHA1df363f6366f900332ed9123db6e2cf092d577304
SHA25643816c19bb682cbd1be9007cde896def863ce2d9805f7b2ecd1c2150d179c82b
SHA512fc66f6fa96c18144eb76c1b9c84030b54fbe6daa72502e5f62502185f18557d459fa019543165c1df24241d485df4028d29c9058b39ed5db3bd01a5e571ffc50
-
C:\Users\Admin\AppData\Local\Temp\asJCFfYfpjwa.batFilesize
199B
MD58bb73944ffad413fcad186b32198bb9e
SHA19a6da6da7dca260efcd60e0d57836281ba199d87
SHA2569ada5f5bcdeca670bbbdd7fff4aa31ea3f75b12bf63fe53d4f5d9fa0d6fa2e76
SHA5128d1a5b9c136f738352a5cefb89095f13da3447bd2743b17c7f8dd226a082718e374cf73c7ac53d9c41a7f3858e879f022da1d74dcc7444e96162c69fe8194f98
-
C:\Users\Admin\AppData\Local\Temp\bWfZOPPSf635.batFilesize
199B
MD5f296f8752b87477654047cf33bdd47ac
SHA1d436a001dc409cbc2288417fa31ba8dbe01a1fc2
SHA25613c169b065bcbc08f4b16e1e52a26c1595f5a55afb82747331efb9471e4a1dfd
SHA51292196accf5142fd168640984f64b544976bdb2fcc3857b9a37875eff5731a157aeccac7af1103a4643c40c154aa21327078c5a177ffcd61cbf6ae996e9db5e18
-
C:\Users\Admin\AppData\Local\Temp\cFlYsfrCVAXy.batFilesize
199B
MD5d95d11b808665d1477ce31316fc6ca8d
SHA18d72c7352d5a50db7a20a1ca72af641298847b9a
SHA256d2b766eee62754df5b38789da677e7e5cd6359756ae858b9c6d4fc8839555aed
SHA512bcdda0ce017d52e816f66777b6cb42370a7798fa4342ee1fd1f9cef547967716e91772265aa97be4291c9ee84d85bb6f9639477c6f853390e0f78094ba0fa0fe
-
C:\Users\Admin\AppData\Local\Temp\fjvGBYD5cKi5.batFilesize
199B
MD537f18935728c63d5f313da32c947379f
SHA102db51c8ddff4ccc2a0f494f340482ab8192faed
SHA2564f93253c2066683fa6351e22ae3a41df3fe0c6d5b8013b767699502f5689e396
SHA512b842ee575afc24fc3077208f6da96c566a8226534228d1de5a073a96932cb1b2fc12269b820327ea56f08a8884e522e082c3dd89efed5c67f78583b67628adaa
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD53fc71556a6637738a3fbe02b1961673e
SHA1b8aa247ba3fcc3886b8e5894c63725d015c55c42
SHA256a80237ffe7b94e6b0393e71b226dc5df7f95e1eb1b9235df25bec53f8c5d9b44
SHA5124aed78cec35ba131ac931e169b11a97c27de30afbfe1c5f154cd2444c294f3858c35cb959d1bab589a870af6305210e396ec42a786b69e128d495bd871d42218
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5cbfac9273dbd82dcc6fe79eb96309ed0
SHA12b3affbc19e90b233cfea6cc5a6356db1c473bdd
SHA2566d5a8dab14433417adea6c1bcace654d1312420b91f3d194509143f1cbec8256
SHA51263edec8f466b03d94554a9f7c9ae6f39d513b4906571d919e5eaa3edce08557426a6f111eaabdbef881edc85d3a3e683502c6b3d6770637f1496e403805540d9
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5c1f1f48304256dc704d094283c861a81
SHA16c045e91567fdaecdd35e7ffedb46b8734a1ce8b
SHA2568b7356deb8d13aebc6b52bd5818f6ba915210509b67271763fccc3a84defe21e
SHA512037688aba724a825e9c9e66e0479281e1f953396085cc9e84bdef5a6305a76664f0c69b6e400161d4efe0ae17901312ab9b3ae06836312fb69e2bf54009ad166
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5993f1d7d8bb311eb8d8be3c67560a081
SHA1c2ebd895698165eecba71eca037924cd13d0b31d
SHA256201b78970529b74f52153c0f226f7b0d3661b94551b7e3d0e8fda5a7c9dde284
SHA512fe071ab8393526b1183b256a37b1421689d4ad629b0f38c2d611f7bf5f84c0efa21f1a800ebba6e56490ef8156010dee6951f418f158d188f3e78e5402a0c7b8
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD54f541f11d78c14502a70700bcb6288f6
SHA169990b5b5172305dceabbdb6e1c7490715b2b148
SHA256f777cb29564d33963630ae2a121791c1696d70a036a1647b4679215090b6a8f0
SHA5125f896550721b004350a297f9aa9d2f2b398f946de38a41000d707829c2c5504aa9991ef80d7c1b9a5143d40ca34fbd215bf7106973f03ba0397cbd23774c1813
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5827d31340e31fd474bcb06d62b6913dc
SHA1f6f9b6012e223f34a455aaed23813d9cc6d5eca2
SHA256bc0a741aba7a13d6ba58d678edcaa529f03e16d2efbea714fdabdd372d21dfa1
SHA5125ff2c801abc8ac0aa6441566740d13ae0256bedc32f6b76e9ff25390c8e6111fb783dde1a1b6241db368fddfb55d1a37b16d437f87b56c1e069d5b1fdd1ff9fc
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5ec285992d71569769a51e7fa307078ab
SHA13b7cca874667bdd8f3b098317c46d8e8b5d7544d
SHA256901b630a473c4c6d6c6b465c88f0b207fe4ba62495575ad7bcdc24c9ac96424b
SHA5127daca39743ca2f486668c026ef47a2d2e74a3d23a4ea2e3a27a6e91e2940d6f1bda6e8849a27f40887f486c11342df16aee7f03e8f20f7844bcde5c5c5e9fcf3
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD521c4fa1baba3f733376cfce647367ea3
SHA129ab92d7549ec5e172c936474dcb90bc09d3a097
SHA256db1b5d134a07d5320b67a9785d404a94ade27e7efc6e4b80e3428f07c48d8d52
SHA5125a0e456c4debc41f241694061e7ab752ee067e12828faac66932bbd70af13b669cb5c8c12a5298278ce8ca82b26d8877617a124dbff45a587bc28e6221f9ba38
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD58582edb887b4b285519824841155d5ed
SHA1dc2c3ddf9efe2dafd69464c0eea335d3bd4daa3a
SHA25697fa691839366774484db38d4fdfe4ede187cba5abf7708b813ee3675742ab14
SHA512a51b2893d916c450a68922d6b965db87221b3579e8ed2318b97aae4c483e1bb3bf526449239c7e3fd740842c13ffce4cea347a14a31da97dfdf0b7c9284be04b
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5bbee248e4fbf2fd5cf53f69c3d6f99e7
SHA17340bb3fff37619298881b704bf98c533088e5e7
SHA2560e89115f357dad5e774cb9eb7f52a20d824395b91cbfb7200321194565614b8c
SHA51238ae0040e6ec173ebbd07423d2297c88f8ca67e0324a6aec6b6e18a6231aabecb10d9433b0a4ca320ea63c553d858f732f03f47a35996d2a9c0ceb542f5fa249
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5133f2f22fe2e24ff6130721c5e5a6f67
SHA13526a5dc9dab08f441463da42e779602597717f4
SHA256deb829bbda78eb8e62bbaad53eb03bb3d2fe74ff4aef576cc43ea71474849c62
SHA5128e4d5f41d770bbcf2929515d68519cdeb0c74edd9522feeccfc08a8e4091722c373068a9bf5cdd1841679712b8fbbb5a836db9d1e8467450684fe02404db68c3
-
memory/4196-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmpFilesize
4KB
-
memory/4196-14-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/4196-7-0x00000000065A0000-0x00000000065DC000-memory.dmpFilesize
240KB
-
memory/4196-6-0x0000000006060000-0x0000000006072000-memory.dmpFilesize
72KB
-
memory/4196-5-0x0000000005340000-0x00000000053A6000-memory.dmpFilesize
408KB
-
memory/4196-4-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/4196-3-0x00000000052A0000-0x0000000005332000-memory.dmpFilesize
584KB
-
memory/4196-2-0x0000000005850000-0x0000000005DF4000-memory.dmpFilesize
5.6MB
-
memory/4196-1-0x00000000007F0000-0x0000000000850000-memory.dmpFilesize
384KB
-
memory/4624-22-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/4624-13-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/4624-15-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/4624-17-0x0000000006370000-0x000000000637A000-memory.dmpFilesize
40KB