quasar | 53e3ef743e60a3c4b56e9184d4262918e69ea64e9642aead36eab8b6771f0e4a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe
Size

477KB
MD5

90bced8d18a24d6d148eb5225c66760e
SHA1

4feba0e911d90cfc1467907c09a0f7ce89e184e2
SHA256

53e3ef743e60a3c4b56e9184d4262918e69ea64e9642aead36eab8b6771f0e4a
SHA512

8ff7b113eb6140906f0220c22930e70f6cd14e219bb3d8f5ff0e75d0f33b262e9ecd05316ece994561870aa7c140b83cd91146ef12c1dddfb6afd1f8d0230583
SSDEEP

12288:+VVVibrHQHGvLvB1eUmWAP7r9r/+ppppppppppppppppppppppppppppp0GO:+ZibrHxzO1qO

Score

10^/10

quasar mamaup spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

MAMAup

eyasdz.ddns.net:1052

Mutex

QSR_MUTEX_FjemAK95X9OiydAcHT

Attributes

encryption_key
l1K4RtgBHYiqfNoqq3QV
install_name
microcp.exe
log_directory
wincps
reconnect_delay
3000
startup_key
wincp
subdirectory
MicrosoftCP

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

flow ioc

53 ip-api.com
79 ip-api.com
11 ip-api.com
2484 schtasks.exe

flow	ioc
53	ip-api.com
79	ip-api.com
11	ip-api.com
2484	schtasks.exe

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/940-2-0x0000000005590000-0x0000000005620000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

microcp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	microcp.exe

Executes dropped EXE 14 IoCs

Processes:

microcp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exe

pid	process
3156	microcp.exe
4588	microcp.exe
4996	microcp.exe
4676	microcp.exe
4692	microcp.exe
3544	microcp.exe
212	microcp.exe
4560	microcp.exe
2824	microcp.exe
2128	microcp.exe
876	microcp.exe
3712	microcp.exe
2824	microcp.exe
4708	microcp.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
53 ip-api.com
79 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
11	ip-api.com
53	ip-api.com
79	ip-api.com

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
804	3156	WerFault.exe	microcp.exe
1956	4588	WerFault.exe	microcp.exe
392	4996	WerFault.exe	microcp.exe
4732	4676	WerFault.exe	microcp.exe
2692	4692	WerFault.exe	microcp.exe
2704	3544	WerFault.exe	microcp.exe
1756	212	WerFault.exe	microcp.exe
3860	4560	WerFault.exe	microcp.exe
2216	2824	WerFault.exe	microcp.exe
3708	2128	WerFault.exe	microcp.exe
4776	876	WerFault.exe	microcp.exe
3160	3712	WerFault.exe	microcp.exe
1380	2824	WerFault.exe	microcp.exe
1668	4708	WerFault.exe	microcp.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4220	schtasks.exe
5108	schtasks.exe
4628	schtasks.exe
2484	schtasks.exe
4296	schtasks.exe
2988	schtasks.exe
3884	schtasks.exe
2484	schtasks.exe
4260	schtasks.exe
912	schtasks.exe
2996	schtasks.exe
1716	schtasks.exe
2468	schtasks.exe
1008	schtasks.exe
1388	schtasks.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2416	PING.EXE
2476	PING.EXE
4544	PING.EXE
848	PING.EXE
992	PING.EXE
1088	PING.EXE
1620	PING.EXE
1684	PING.EXE
5004	PING.EXE
5108	PING.EXE
512	PING.EXE
4324	PING.EXE
1976	PING.EXE
4996	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exe

description	pid	process
Token: SeDebugPrivilege	940	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	microcp.exe
Token: SeDebugPrivilege	4588	microcp.exe
Token: SeDebugPrivilege	4996	microcp.exe
Token: SeDebugPrivilege	4676	microcp.exe
Token: SeDebugPrivilege	4692	microcp.exe
Token: SeDebugPrivilege	3544	microcp.exe
Token: SeDebugPrivilege	212	microcp.exe
Token: SeDebugPrivilege	4560	microcp.exe
Token: SeDebugPrivilege	2824	microcp.exe
Token: SeDebugPrivilege	2128	microcp.exe
Token: SeDebugPrivilege	876	microcp.exe
Token: SeDebugPrivilege	3712	microcp.exe
Token: SeDebugPrivilege	2824	microcp.exe
Token: SeDebugPrivilege	4708	microcp.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

microcp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exemicrocp.exe

pid	process
3156	microcp.exe
4588	microcp.exe
4996	microcp.exe
4676	microcp.exe
4692	microcp.exe
3544	microcp.exe
212	microcp.exe
4560	microcp.exe
2824	microcp.exe
2128	microcp.exe
876	microcp.exe
3712	microcp.exe
2824	microcp.exe
4708	microcp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exemicrocp.execmd.exemicrocp.execmd.exemicrocp.execmd.exemicrocp.execmd.exe

description	pid	process	target process
PID 940 wrote to memory of 2484	940	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	schtasks.exe
PID 940 wrote to memory of 2484	940	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	schtasks.exe
PID 940 wrote to memory of 2484	940	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	schtasks.exe
PID 940 wrote to memory of 3156	940	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	microcp.exe
PID 940 wrote to memory of 3156	940	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	microcp.exe
PID 940 wrote to memory of 3156	940	90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe	microcp.exe
PID 3156 wrote to memory of 1716	3156	microcp.exe	schtasks.exe
PID 3156 wrote to memory of 1716	3156	microcp.exe	schtasks.exe
PID 3156 wrote to memory of 1716	3156	microcp.exe	schtasks.exe
PID 3156 wrote to memory of 4472	3156	microcp.exe	cmd.exe
PID 3156 wrote to memory of 4472	3156	microcp.exe	cmd.exe
PID 3156 wrote to memory of 4472	3156	microcp.exe	cmd.exe
PID 4472 wrote to memory of 1424	4472	cmd.exe	chcp.com
PID 4472 wrote to memory of 1424	4472	cmd.exe	chcp.com
PID 4472 wrote to memory of 1424	4472	cmd.exe	chcp.com
PID 4472 wrote to memory of 848	4472	cmd.exe	PING.EXE
PID 4472 wrote to memory of 848	4472	cmd.exe	PING.EXE
PID 4472 wrote to memory of 848	4472	cmd.exe	PING.EXE
PID 4472 wrote to memory of 4588	4472	cmd.exe	microcp.exe
PID 4472 wrote to memory of 4588	4472	cmd.exe	microcp.exe
PID 4472 wrote to memory of 4588	4472	cmd.exe	microcp.exe
PID 4588 wrote to memory of 4628	4588	microcp.exe	schtasks.exe
PID 4588 wrote to memory of 4628	4588	microcp.exe	schtasks.exe
PID 4588 wrote to memory of 4628	4588	microcp.exe	schtasks.exe
PID 4588 wrote to memory of 3212	4588	microcp.exe	cmd.exe
PID 4588 wrote to memory of 3212	4588	microcp.exe	cmd.exe
PID 4588 wrote to memory of 3212	4588	microcp.exe	cmd.exe
PID 3212 wrote to memory of 4600	3212	cmd.exe	chcp.com
PID 3212 wrote to memory of 4600	3212	cmd.exe	chcp.com
PID 3212 wrote to memory of 4600	3212	cmd.exe	chcp.com
PID 3212 wrote to memory of 1684	3212	cmd.exe	PING.EXE
PID 3212 wrote to memory of 1684	3212	cmd.exe	PING.EXE
PID 3212 wrote to memory of 1684	3212	cmd.exe	PING.EXE
PID 3212 wrote to memory of 4996	3212	cmd.exe	microcp.exe
PID 3212 wrote to memory of 4996	3212	cmd.exe	microcp.exe
PID 3212 wrote to memory of 4996	3212	cmd.exe	microcp.exe
PID 4996 wrote to memory of 2484	4996	microcp.exe	schtasks.exe
PID 4996 wrote to memory of 2484	4996	microcp.exe	schtasks.exe
PID 4996 wrote to memory of 2484	4996	microcp.exe	schtasks.exe
PID 4996 wrote to memory of 3676	4996	microcp.exe	cmd.exe
PID 4996 wrote to memory of 3676	4996	microcp.exe	cmd.exe
PID 4996 wrote to memory of 3676	4996	microcp.exe	cmd.exe
PID 3676 wrote to memory of 1088	3676	cmd.exe	chcp.com
PID 3676 wrote to memory of 1088	3676	cmd.exe	chcp.com
PID 3676 wrote to memory of 1088	3676	cmd.exe	chcp.com
PID 3676 wrote to memory of 2416	3676	cmd.exe	PING.EXE
PID 3676 wrote to memory of 2416	3676	cmd.exe	PING.EXE
PID 3676 wrote to memory of 2416	3676	cmd.exe	PING.EXE
PID 3676 wrote to memory of 4676	3676	cmd.exe	microcp.exe
PID 3676 wrote to memory of 4676	3676	cmd.exe	microcp.exe
PID 3676 wrote to memory of 4676	3676	cmd.exe	microcp.exe
PID 4676 wrote to memory of 2468	4676	microcp.exe	schtasks.exe
PID 4676 wrote to memory of 2468	4676	microcp.exe	schtasks.exe
PID 4676 wrote to memory of 2468	4676	microcp.exe	schtasks.exe
PID 4676 wrote to memory of 4488	4676	microcp.exe	cmd.exe
PID 4676 wrote to memory of 4488	4676	microcp.exe	cmd.exe
PID 4676 wrote to memory of 4488	4676	microcp.exe	cmd.exe
PID 4488 wrote to memory of 4624	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 4624	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 4624	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 2476	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 2476	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 2476	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 4692	4488	cmd.exe	microcp.exe

C:\Users\Admin\AppData\Local\Temp\90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\90bced8d18a24d6d148eb5225c66760e_JaffaCakes118.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:2484

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCIHu7fTkWmj.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1424

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:848

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WZt9ALKR3pAW.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4600

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1684

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2ZFDHKfVndG5.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2416

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIbRP2Lt18p3.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4624

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2476

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeCJfH0sKRDp.bat" "
11⤵
PID:4748

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4420

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:5004

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3544

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fagVZvchkbA6.bat" "
13⤵
PID:1668

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:3160

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:992

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:212

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\go0HFZ4UBsJs.bat" "
15⤵
PID:4724

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:3580

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:5108

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KviKpF5wNBSp.bat" "
17⤵
PID:4488

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2592

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4544

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OivRAJUZwIB5.bat" "
19⤵
PID:3980

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:4740

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:512

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KRGfI1AxAnk3.bat" "
21⤵
PID:1740

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1912

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1088

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:876

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F9ctPjqMPIJ1.bat" "
23⤵
PID:1252

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:5100

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4324

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUaH6UAhg0J0.bat" "
25⤵
PID:1704

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:3732

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1976

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RDkE0w0QQJar.bat" "
27⤵
PID:912

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:1276

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1620

C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "wincp" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z2l48kZMUEz1.bat" "
29⤵
PID:1900

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1532

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 2232
29⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 2248
27⤵
- Program crash
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 2200
25⤵
- Program crash
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 2252
23⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 2240
21⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1688
19⤵
- Program crash
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 2248
17⤵
- Program crash
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 2256
15⤵
- Program crash
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 2248
13⤵
- Program crash
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 2200
11⤵
- Program crash
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 2248
9⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1672
7⤵
- Program crash
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 2216
5⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 2232
3⤵
- Program crash
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3156 -ip 3156
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4588 -ip 4588
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4996 -ip 4996
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4676 -ip 4676
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4692 -ip 4692
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3544 -ip 3544
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 212 -ip 212
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4560 -ip 4560
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2824 -ip 2824
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2128 -ip 2128
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 876 -ip 876
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3712 -ip 3712
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2824 -ip 2824
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4708 -ip 4708
1⤵
PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2ZFDHKfVndG5.bat
Filesize
213B

MD5
ef0b2a41a3b9d20cf529e7c9c480347c

SHA1
ca6eb024aacd254abf944bdd1adde6fc01325bf0

SHA256
502b027a8157d701568a70785898758ba28d6b98789ed7c760aac99443395607

SHA512
d8da6164bfd738628e84dabadf3942cc04ce638d32bc24ee65bfdf03f83c332c2a91b9b62f44f3be1e034c25aee2af5afb9ef82ced2304e904ff0392925aacd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCIHu7fTkWmj.bat
Filesize
213B

MD5
b9c79a91cb05e5510a276dc1ee4d120b

SHA1
d7f565aecb48142eafbbf6faf85779a296dad480

SHA256
05264a937407c4ecbe5d9369880ba6f25a2f7e12a035c3470eefd1c41697d467

SHA512
046e0e08194d2f3ff1402ecf6bad0956b36bc1d220560415d8bded3623aa2dac985c20d313e402453d0e23f67c11726f7c0b1fbec2a9c71bb4c8027d2c0629dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9ctPjqMPIJ1.bat
Filesize
213B

MD5
85f4a5b12fb4397fbcd541b26ba62ed7

SHA1
ebf6389b58e5afaa8d9aa48b31476b5c9097fc13

SHA256
b619815809ebb7cd67160bb47eceb38d2f8642967e2ac68facd8c1adf9bd5203

SHA512
3c5dfdb53a385a2578efccf22758c70732e4cb45b163a112b289c25654400652fe8c2670e3a00ec89f1d4a4dc5d4c690e54a419820ed5973e764f96d4b2a0148

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeCJfH0sKRDp.bat
Filesize
213B

MD5
845226b093a35c7cf0579cee2321b1b8

SHA1
e33a1e903e22e78e8111c1b4b24682fc5a0dde41

SHA256
d7bcb8a6dfa6c06073c71079574271a39264ce34136a3e01a405ef896aa66ae9

SHA512
3f0a3df5bc322f9e1f4b9dec857719bac5c2ec7068dc9f889347440aee0fc5707bd560462f501acb6b1489a3ff76e591c065640a9951b6f082f1f3e70f082af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRGfI1AxAnk3.bat
Filesize
213B

MD5
da83a6347a9dbe50f7fd4a10a7207201

SHA1
8cc1cadd5e4c4103b7a2664e54956e89617f12e6

SHA256
23e7bb675775faa24f46fbc53c5ab62666d58043a9c9b4b7c79c573c6d3761b9

SHA512
7f063f9666bd884d13878322b348c4c31afe7c94cfa512edf42a192ca7d25099aa78d00338eaeeef2ef0c3581afd477f0aab7415bbe3fbf619bb113afead6245

Download Submit
C:\Users\Admin\AppData\Local\Temp\KviKpF5wNBSp.bat
Filesize
213B

MD5
02a99beaf295f6aa90e37b89d578e69e

SHA1
9f469785ec128d572f587acdca4518b5bac3d465

SHA256
4ce17a1a3e3c8734c2ccc64e9fd29e072353c053854d1614dd5b3392e862787e

SHA512
3c03015654540ea2f2f253fb821d2b3b6d229f131cd6fcbe38eaef88a8a6d821282f8bdcbd16e19f7d87193ab4c24851d7bdb52cc5e606e5198d0b61124de2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OivRAJUZwIB5.bat
Filesize
213B

MD5
906b9e97fa20c99840d9d3988b0850c8

SHA1
6f40a931c6bbea0a07106e08a859d583c20fb6af

SHA256
400d6f7775b9d415a021abd19fe333e17ff868e24b5ef3232c29ca363f221712

SHA512
e931ee8f66762be8c693042222805e1770f4bc1b4f90a1b537d7f322071d2fba374172c9c8f11b71cdc0d27aba93975288a3aa335f98895be503de7ceab79024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RDkE0w0QQJar.bat
Filesize
213B

MD5
9014149b59f3e61cf5f91fb23be59aa8

SHA1
99530c055fce23c0630611adf10a8917be959dd7

SHA256
9dd13aefe4f239b2f0eeecdb166081d39098bb4af27d2b182fac4f399e0cb79d

SHA512
6a695a7f54510804552a0a23f75bda7bd6afaf6e422116183edb962c6309de283ffbc0d2c7d89c2ad3a9924ca64a2266ea1a212f43168fe31985869f87278869

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUaH6UAhg0J0.bat
Filesize
213B

MD5
fde7ce5612430cfb9e4cf32fa08c9342

SHA1
770f04179e03daec87b92f3ef6427db25f3e745e

SHA256
0317971dd93cbbff36d268e342358757c1238dc7b9bff2cd3c3dfef684e2aa90

SHA512
a5ed35e99b669d7521eeee74cd1b412da4fae55b416f40c157c81121b8e02517709f04f08d5f1d6ea672752de074de455b7d8f7726cbeddf59f4b5fba0a6afdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZt9ALKR3pAW.bat
Filesize
213B

MD5
240fe16ba54b1d8415901b44c09fa19e

SHA1
f8f5e607069d9a8ec34ad1cbe9e0600ca5e63d5c

SHA256
6d3fadbe328a2a3538e8fedc7fae1b0cd667335e5aae019c6ce47d86a3aa0125

SHA512
5071f5a5cbf41c742f75db0cebac2d0de0b013aafd4792e31d3e8289ebb695498f4ad6e778c3f6e18301aa27752708578960b03e3a38c4fdeabbea620f51f549

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z2l48kZMUEz1.bat
Filesize
213B

MD5
356e3c07d0910f1ca91ade7b5824b595

SHA1
ee870ce190f8b09cd9e73ce9b113459e61b2ad7b

SHA256
79222dffdf33874eb3e74eb0b9755b0e173e9e6894375e5a766d4e2e6f04f12d

SHA512
10f5d26fd1c64a2b42f75d06e391a8092c6a4d1fb55ea188d967f39a57ad878dc55d3a482376aeeeea16a59dbc44a615699fa6af048950f9d5998fdbf6e4b601

Download Submit
C:\Users\Admin\AppData\Local\Temp\fagVZvchkbA6.bat
Filesize
213B

MD5
87e81956f62417b23e9bc246d7f5b8be

SHA1
0a501214f119e57f22fe48aa22d15a0a77d935b0

SHA256
865321ef5ccff21e65402156e585bded436a1a213e8b741b43f0e0b2af91e789

SHA512
a7c4e52448769a5f9c07b9ac4aaede15768e626f28af02670170f5e908cdf2a148eae58505ac6edf618879a877e3d89c55cf094f694ac816bd8b9e646d084576

Download Submit
C:\Users\Admin\AppData\Local\Temp\go0HFZ4UBsJs.bat
Filesize
213B

MD5
519b9bc34ff159f2aafd4fcdd1d95d3f

SHA1
0e26261cfd54bfde811a1de1f67630d157a5e227

SHA256
ecfa0e16a6cc30681dadd498d6a083117e5c6a5eb1f51bd6d5d96d0557abfb3e

SHA512
b39eff661e56e1dd97a6dece0a1b28f85395ea1e41bc672a88d011a19fbbda3d0ba956620cf5d8ec5413e184c2e07a537f2e82fa890cb7575d99bb607651d3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIbRP2Lt18p3.bat
Filesize
213B

MD5
00eebe72bc06d64b75d69fc24d89974c

SHA1
678535704abd2018708aa8549ecc174b70cfd6a9

SHA256
99e10d38d949aaf6840ba6e7ead7b1c58c5fbff958f6345e6d20335b96778d14

SHA512
a721d077dfc43ac86e27ccdc4a6c15c7fddc86482867cc05f1b6eb117cf61aee174cf3e6244ca25802c3d3505f8bb19a6586d6c3fb09aaf8194633344b3e4322

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftCP\microcp.exe
Filesize
477KB

MD5
90bced8d18a24d6d148eb5225c66760e

SHA1
4feba0e911d90cfc1467907c09a0f7ce89e184e2

SHA256
53e3ef743e60a3c4b56e9184d4262918e69ea64e9642aead36eab8b6771f0e4a

SHA512
8ff7b113eb6140906f0220c22930e70f6cd14e219bb3d8f5ff0e75d0f33b262e9ecd05316ece994561870aa7c140b83cd91146ef12c1dddfb6afd1f8d0230583

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
52215d2b502e36a6f395f378c15e3c0b

SHA1
f861df1237c4c3e8c95f92fc4239ca32e952aea7

SHA256
51b96adb76b4ab8d32756cbb2db0df16ecd55aacb60831a163fb9c413ac23030

SHA512
110dd42953e6c4a3ca770029088fb966101453bd3c693c06599f616980d4f30db60e0413d59e0b40ea79c7bf5884e2b8345f090a22cfb87399cd8ade111dec19

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
96662856fff35c16b4346039b3db7a90

SHA1
9a399f45be051d5775d79528c54391960fe38bc1

SHA256
f7b7bd6f697481f1982ec510787119c5aad1779d5ce828d3d87c0d70e5e206d0

SHA512
6ad9eef6dbc6c8b17b5aba85b14a73a40501f0b7c3484d4dc1b0bab305bf7632d0ab227e0609ff93ac2a844fdaecdd43f2adda37fd235fb0a4680f2976ce774b

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
c1f7f147917bb629b57e012074b90a20

SHA1
7cb4003f741e7fb4bfb9760a592734361d5e1c25

SHA256
66f5280ec9068ac0bc208615cbd75bfadedd5b32dc47e2f0b5c44b42c6a16725

SHA512
06c63682c1135c2fb27442617828151addcfd967c576d918556c886ad7e60116d8a6f228dab2eb54903a97ca5030769525d489b840ba1f40a2e9cb94d80e9dec

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
ce83570e11e35f6e6b1c2d5a069a5b4f

SHA1
06fcd900e5d6dae3b76cacc8ecc6bc07542342aa

SHA256
ff36dbb4c9cca04a65234b25c947b26d7abd1d088ffb32c2beb48727d160e7a7

SHA512
2138b5af8816cf58188c846812dac5a37752746b969a145978e9b6fe77b5a1e6cf85134fdac969dc26a9961c9321a57513c5f3e9497ee52682049b9ca2fb0bc7

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
b9804206477c2c30d6769cd1a020c329

SHA1
e39611eb46d55185ffdc4d720ac8260c1a87d855

SHA256
70dd29d85e66645e3cded786f7c43397a2b063ed6a8d3261a5affc345f00990c

SHA512
754ed56e373e0e06025508e7c014c10a0c4d1d3d25eb7fdf6197dab5798b38c35a210f3063a7f838407f0e63d160779b98fea697012ba782fdd8c2948b7bb038

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
224198554c8e8bb421fcd78fe5738ffa

SHA1
9e9e8f3a747c346cf551a085344e3a7296f32398

SHA256
c5430fd5f9279b97f55a43378142c234081cec1cbde4bc8f46d658037a0b8174

SHA512
2015e5a87766c7336fe16f9897b89d52900d212f7657141f9a2f0f31b44f46021f901a9c317cb40af2e94e5862cc21d13b578bb508186a7bbb1bc378f47cef2a

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
601165aa8e279392de36f36e3e581ea7

SHA1
e0ca1eab17890ba6be5ceda3a1e1c659893c5e2f

SHA256
9c0f2985f78ebece34e76fe9dc5ace3eed62faa2dbfe50a78ba07e66e67af932

SHA512
afa8e895d4840c01e3c30f4987baf85b76ee648a3d5a1cb476abb9217b5556f3914520f6852dc7fe8493ca598106f95e688e949d2c80d7ccfd98ec1ef71ca755

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
1c5fbafd2e523d6788e2c64ce1266578

SHA1
ff6b4b8e8968baf62a7aeca01e8d8396afa18684

SHA256
64c419beb1cf412b8e03ea2ac794dc77aa230072cad9abb15b1e776b29a234e3

SHA512
eb75586d48af6075a39eb8b1244aa80ad1c2e3a2236fdf96fbde3623a7d1738dee1dc22e8557f436f9c55f396b8cbb4ece53ad96f11093d20c58a1de30731a8c

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
773b02aafdf0318705308274f241bc85

SHA1
9c3520bf2171767de966358b7986695f9681c519

SHA256
3531ea87e21b4952780be62a1824454869cad714d072759bb5143f41342d2744

SHA512
e6182baf43f16479edab1dea1902a83c77f2b05c510e28452b45aa4f7a125f17b64db435127fb25cd1109a96289caf6f5c54740b9129031038f49bf52e0e8975

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
1048f29840c09a675bbc1524f91836f2

SHA1
e84bab4e57616a86c124d3d521b0f14448d48ee2

SHA256
ba395178693052f8315d481f6be3009eb8d9e78da06a7b29a356b448709feba1

SHA512
c49ae7d6d8018d0b15d8ddbe4a6bedcd3f533e4e6355a7ac964c258a427e6b0d9f5f679fbdf34befcd272408a928a3633541e2c751ab1299fde72a068e4e1155

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
a6545fd0ba511f8a4ba8af3b75e1dbb2

SHA1
79299cd8022903f280d19a7806e36d3748986f58

SHA256
dca84cdd729e92ac0b86f1e0803f77d77e2807c5c1319be9b1f2f274d5a18d8e

SHA512
53db0ce597e2550f6e25148c42b9b8b68c3c012af2fcef6c77d9d5ca52378ab18b31e36c6fc1bf84b959bb5dcf5ba63ea706855dade8e83c55144326d09c3502

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
a340277d3d374946f24d7a9d2452dc56

SHA1
4c608eaf788080561f6b10123cd538627d0d6756

SHA256
5a9445819f1e4f375ff7529806ef33023ebc59427fc06dd45c5298b57168d65b

SHA512
0da7d61107d5da65cf106e13eced565593e489bbab1909ff65d50144b539595c2cdb7bf576b93c9fdeb76d1fee9093e7f259236c9b4ed88b06d04242412fa75d

Download Submit
C:\Users\Admin\AppData\Roaming\wincps\06-03-2024
Filesize
224B

MD5
63719172c54191a6ebe75fb07f6e46f3

SHA1
85816c336718340a1f34f57e6a243caab383ce73

SHA256
97296f2f26ac682a58d98edeb4569bc2879e2d46f865090b652cf3d87eac01a6

SHA512
662f938771c9a23165c6e7e5fa5d3265da97dc8024915376ac71ed5897ac316fa7ca6bf4cdc39262cf371a0b95753ae970101c473d11700e906cf3fa56b7b136

Download Submit
memory/940-7-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/940-4-0x0000000007C10000-0x0000000007CA2000-memory.dmp

Filesize
584KB

Download
memory/940-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/940-8-0x0000000008DB0000-0x0000000008DEC000-memory.dmp

Filesize
240KB

Download
memory/940-1-0x0000000000C20000-0x0000000000C9C000-memory.dmp

Filesize
496KB

Download
memory/940-2-0x0000000005590000-0x0000000005620000-memory.dmp

Filesize
576KB

Download
memory/940-3-0x0000000008120000-0x00000000086C4000-memory.dmp

Filesize
5.6MB

Download
memory/940-6-0x0000000007B70000-0x0000000007BD6000-memory.dmp

Filesize
408KB

Download
memory/940-15-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/940-5-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3156-19-0x0000000008450000-0x000000000845A000-memory.dmp

Filesize
40KB

Download
memory/3156-17-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3156-24-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3156-16-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download