Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 18:55

General

  • Target

    Loader.exe

  • Size

    409KB

  • MD5

    808d880b4fc7f865fb607337690b5575

  • SHA1

    7782ec3da7a6f8ed196d4431c59d50690580ac39

  • SHA256

    90a58064c6df293fc564fa5b616c737f6fd31f6288433da2030ec56d6dc46962

  • SHA512

    7a7ee833835d9469a1a5b48a5cbf9c902f362d82ad37b2ba99944e692b4322c140d770dc7be30f8ace7b84d6508e4d2e5f2007294ca3c07094bbfca8120ec6a8

  • SSDEEP

    12288:KpsD64e1Muxkk3abqow6dL+32oJN/nSjCt1hw:OsG4kMUQU6E3NN/nk

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

feel-barcelona.gl.at.ply.gg:47655

Mutex

$Sxr-GV6wZsGZZMeZ3qfenc

Attributes
  • encryption_key

    OyypB9RDbCUrmPK8uTim

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender Anti-Malware Disable Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • Runs ping.exe 1 TTPs 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1836
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JhrUKLnSUCN8.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:3240
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:2088
        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3256
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2564
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yhtFvMHgLWsq.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4296
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:4596
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:4760
              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                5⤵
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4132
                • C:\Windows\SysWOW64\schtasks.exe
                  "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4156
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usAtBPAZzyaD.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1484
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    7⤵
                      PID:4000
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • Runs ping.exe
                      PID:3884
                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                      7⤵
                      • Checks computer location settings
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:2392
                      • C:\Windows\SysWOW64\schtasks.exe
                        "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                        8⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:448
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x3XtlcQuW9mK.bat" "
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4516
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 65001
                          9⤵
                            PID:4476
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 10 localhost
                            9⤵
                            • Runs ping.exe
                            PID:4440
                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                            9⤵
                            • Checks computer location settings
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:1060
                            • C:\Windows\SysWOW64\schtasks.exe
                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                              10⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:4608
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mTl23LRA4x7s.bat" "
                              10⤵
                                PID:1356
                                • C:\Windows\SysWOW64\chcp.com
                                  chcp 65001
                                  11⤵
                                    PID:3656
                                  • C:\Windows\SysWOW64\PING.EXE
                                    ping -n 10 localhost
                                    11⤵
                                    • Runs ping.exe
                                    PID:568
                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                    11⤵
                                    • Checks computer location settings
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    PID:3408
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                      12⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1620
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMBlgJYkB3r3.bat" "
                                      12⤵
                                        PID:3268
                                        • C:\Windows\SysWOW64\chcp.com
                                          chcp 65001
                                          13⤵
                                            PID:4136
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping -n 10 localhost
                                            13⤵
                                            • Runs ping.exe
                                            PID:1312
                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                            13⤵
                                            • Checks computer location settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of SetWindowsHookEx
                                            PID:3260
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                              14⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1672
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rHPE70peoxI8.bat" "
                                              14⤵
                                                PID:2804
                                                • C:\Windows\SysWOW64\chcp.com
                                                  chcp 65001
                                                  15⤵
                                                    PID:1208
                                                  • C:\Windows\SysWOW64\PING.EXE
                                                    ping -n 10 localhost
                                                    15⤵
                                                    • Runs ping.exe
                                                    PID:1716
                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                    15⤵
                                                    • Checks computer location settings
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2584
                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                      16⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4752
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2YO3QB7yM2vN.bat" "
                                                      16⤵
                                                        PID:5096
                                                        • C:\Windows\SysWOW64\chcp.com
                                                          chcp 65001
                                                          17⤵
                                                            PID:1256
                                                          • C:\Windows\SysWOW64\PING.EXE
                                                            ping -n 10 localhost
                                                            17⤵
                                                            • Runs ping.exe
                                                            PID:4716
                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                            17⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2556
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2236
                                                          16⤵
                                                          • Program crash
                                                          PID:3824
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1092
                                                      14⤵
                                                      • Program crash
                                                      PID:4368
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2252
                                                  12⤵
                                                  • Program crash
                                                  PID:2520
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1660
                                              10⤵
                                              • Program crash
                                              PID:1824
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 2196
                                          8⤵
                                          • Program crash
                                          PID:4484
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 2200
                                      6⤵
                                      • Program crash
                                      PID:4804
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 1092
                                  4⤵
                                  • Program crash
                                  PID:4288
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 2256
                              2⤵
                              • Program crash
                              PID:3216
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2304 -ip 2304
                            1⤵
                              PID:4592
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3256 -ip 3256
                              1⤵
                                PID:3888
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4132 -ip 4132
                                1⤵
                                  PID:2008
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2392 -ip 2392
                                  1⤵
                                    PID:1256
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1060 -ip 1060
                                    1⤵
                                      PID:3660
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3408 -ip 3408
                                      1⤵
                                        PID:2388
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3260 -ip 3260
                                        1⤵
                                          PID:3252
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2584 -ip 2584
                                          1⤵
                                            PID:216

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Temp\2YO3QB7yM2vN.bat

                                            Filesize

                                            203B

                                            MD5

                                            beadc88d1795d1fad37f1d5c6b6b15fc

                                            SHA1

                                            070dbb61e08412dc20d0ecbf92d7d464611ae475

                                            SHA256

                                            98e185bc748b391c26e43fca1780290aa81a2d13e16238834b85b26f48692715

                                            SHA512

                                            bdd4f015cc5e0fcf18b0c9aa5b5b2238e2bdaca78939f60b04c76329d244e83551b197a702f9b5a59a032a516af2228f84da0173a5c60849b414d6017858548f

                                          • C:\Users\Admin\AppData\Local\Temp\IMBlgJYkB3r3.bat

                                            Filesize

                                            203B

                                            MD5

                                            9e3280350318a1192c0dccf48cf96c00

                                            SHA1

                                            72ab48cce69851af164ded84d65bac4ff23aced5

                                            SHA256

                                            023811907336af3f0af07258bc97741898eafd4b8f16ceb2042799d07f5a847b

                                            SHA512

                                            852940d77d8471a80c4a3a8b7d34f7a496b5c2659bcc8284707641dd9348de080838eaae2c9bb364d99f221f1206cbb98f298e49d8b7f82e08d25452af2fd84f

                                          • C:\Users\Admin\AppData\Local\Temp\JhrUKLnSUCN8.bat

                                            Filesize

                                            203B

                                            MD5

                                            ee5a39a8274383c60d9b283d173f5b2a

                                            SHA1

                                            bbd728b9fec353267f912c375177fde45461e0a9

                                            SHA256

                                            8d268bb5ea76b2e75b857b48f8a499e3f1b8f60860f879a563b9703cdebd6c0d

                                            SHA512

                                            f22eadfe3fbd04f9455eae9b4d2a966940743538a8c2b3f3c7061b5a20683152dee91b681114da0c7131d87f5cd79eb35a03e96393f5da41aab9f680eb8e967f

                                          • C:\Users\Admin\AppData\Local\Temp\mTl23LRA4x7s.bat

                                            Filesize

                                            203B

                                            MD5

                                            92eec7c197b415d464a2b140b8979242

                                            SHA1

                                            d936708a6191408e63881043fb8bc40ee24761c1

                                            SHA256

                                            95d7cf35433deab5ccd974a2a7173f5c81b3860ceabcb37389732f4a55a71c22

                                            SHA512

                                            1a942b7429cb92abb3a38c4e873ff0b7335276f615e7ce6259e44065f1ebc02418eb25320800f8bd7c9900cb09b46149449ac356b94a28e0af66bfb2cb5e240a

                                          • C:\Users\Admin\AppData\Local\Temp\rHPE70peoxI8.bat

                                            Filesize

                                            203B

                                            MD5

                                            653980b559c2f0a19e66d01427c75303

                                            SHA1

                                            78158bd6dd8ae5dfe29b398a0a3b7177bb1a41ce

                                            SHA256

                                            eec5ec3062b81d5c72239498217a3594a7431b4c06abf42d99d8c51f5854ac61

                                            SHA512

                                            62a2b72f9a25fea75b15778c7d20575f9a3c680379e79ac58898a88330865cec76f21cc3c764211b531f7cd88b15b421c48c9c11c33163bac85fcc0cf7837335

                                          • C:\Users\Admin\AppData\Local\Temp\usAtBPAZzyaD.bat

                                            Filesize

                                            203B

                                            MD5

                                            da2fd876ff5597a69690379944889a51

                                            SHA1

                                            050a2c23bea19e8c6d9909299aab50dbbf526721

                                            SHA256

                                            18f37376c084f572b4663d6089c0851d2764205069217150c15e74499f11bb25

                                            SHA512

                                            f79318c7c146dd28fcaed00f8f3d4b906878ae884efc7d95f6701a229422169d2be3a05444398c8ed214d551a706517655e18655cb6293cf773d4f14f42bd266

                                          • C:\Users\Admin\AppData\Local\Temp\x3XtlcQuW9mK.bat

                                            Filesize

                                            203B

                                            MD5

                                            1293875a0e1ec9af6cdc54f5ca375d90

                                            SHA1

                                            54983ec2df7544deca7619c00fd1a2606051dda8

                                            SHA256

                                            f11a53e220e98a53bcfaa55aec676f5c0d5102f9ff1ecb802aa783c8fd462ec2

                                            SHA512

                                            17f7cad7bb14acf76140d29056cd1cc2f88086b70a0760d6257893890ef4db05c4922eeefd3e5ccd8a0210b255a37668036af55f7a80527cdf310f505e7e8688

                                          • C:\Users\Admin\AppData\Local\Temp\yhtFvMHgLWsq.bat

                                            Filesize

                                            203B

                                            MD5

                                            ff2e0c324266a6a1ef6cea0897318e13

                                            SHA1

                                            90cf49c62796fa03190fbb1b955308ed54b3cfc2

                                            SHA256

                                            fab7bc958ad09d981ce53723f3c39304828ccbf031e5640818bc16000fdcc1f1

                                            SHA512

                                            bf9eff9cdca137308dd1a0c4691428c090bf1f7ed3859d1bbdae572603614fe2b7c9975e161d187151821e043508797c9ce37f26386015f65d02181b0ea77f4a

                                          • C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

                                            Filesize

                                            224B

                                            MD5

                                            10feba0c13e74144d1767b2e58e7aff6

                                            SHA1

                                            36bdd53da2b743379a3c0e47a407f3e2df9c365c

                                            SHA256

                                            9234e6186d47a5a9b5b77f2c6c2c7609db853a8044f61dc0ebb781c4d5f79598

                                            SHA512

                                            36270f074e11ed4e087918232554a2e539599cfcde290fd32e84efc08f92018ba99bba64be9901a97712a4c9d8c8e9c8b1cf06d3486450249909068901d546fe

                                          • C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

                                            Filesize

                                            224B

                                            MD5

                                            e8eadafcbd4e733a824c659ebe4fa2ed

                                            SHA1

                                            02f2e9070a10c30703b5f52709e17f8be338f0d7

                                            SHA256

                                            f95ab45510524f42e946f3cb1f83affe0018cd8841e5e4cd01956b98793612e3

                                            SHA512

                                            654a5b399571123fb9a0590b244694ebce69fde6e79ec67ed745e61664870c91d792b67db4268e88953f0edd67d97168807adb542d83059b58dd50a83066f2b9

                                          • C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

                                            Filesize

                                            224B

                                            MD5

                                            722ec9b01ba496ef5c5edba01c5bf787

                                            SHA1

                                            a19046c6ac35bb7a1100e83d0a87b2b6ec81bb97

                                            SHA256

                                            2ec1d153426e366c31d9065b78d3200bb3fa1ccfc474b9c965d506a19ee91511

                                            SHA512

                                            e4e471ccf5afa6ad9cd26025d0cd6eb228bff77e40256b411a77c8afe34867501845d04c7a51fd7f37485bb767639e4c30fed492ee7916fa52aee06086438bb4

                                          • C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

                                            Filesize

                                            224B

                                            MD5

                                            a22c7f928fa1a0b48fb881cff97e83e9

                                            SHA1

                                            0ef246f550bb4aed7967a117db7be40ab2002f67

                                            SHA256

                                            01bf75599efdb5b395d6ec7997830e4b43d127d903e3eaeb837557011344df4a

                                            SHA512

                                            27f27c25f8855298b28f131fda15b85339ca7c71e39c38105f9763ee4619a294a70230af363b6c4a2a58333b5072dcacdb41b8245ed3dba228eebfe99192a39d

                                          • C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

                                            MD5

                                            d41d8cd98f00b204e9800998ecf8427e

                                            SHA1

                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                            SHA256

                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                            SHA512

                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                          • C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

                                            Filesize

                                            224B

                                            MD5

                                            a421b2f24bb8e35d34eee2e667cd4e84

                                            SHA1

                                            99d798cceec172ef2c882f93eb6b5817ae17e232

                                            SHA256

                                            27d046b53141780ae5584c448e446f56a4b8443c35c2a9c218b032afa74cca80

                                            SHA512

                                            92c31587808b26ddcbdef7885f8f9d016d727ee83e380a66f7f3d0410f4f8708d9570990bcc18e75076e60b03037e7b2508eb722562e3d6d64801d7a932a434b

                                          • memory/2304-3-0x00000000056F0000-0x0000000005782000-memory.dmp

                                            Filesize

                                            584KB

                                          • memory/2304-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2304-1-0x0000000000BB0000-0x0000000000C1C000-memory.dmp

                                            Filesize

                                            432KB

                                          • memory/2304-8-0x0000000074BA0000-0x0000000075350000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/2304-7-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2304-6-0x0000000005B80000-0x0000000005B92000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2304-5-0x0000000005670000-0x00000000056D6000-memory.dmp

                                            Filesize

                                            408KB

                                          • memory/2304-10-0x0000000007060000-0x000000000706A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/2304-4-0x0000000074BA0000-0x0000000075350000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/2304-15-0x0000000074BA0000-0x0000000075350000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/2304-2-0x0000000005BB0000-0x0000000006154000-memory.dmp

                                            Filesize

                                            5.6MB

                                          • memory/3256-16-0x0000000074B00000-0x00000000752B0000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/3256-17-0x0000000074B00000-0x00000000752B0000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/3256-24-0x0000000074B00000-0x00000000752B0000-memory.dmp

                                            Filesize

                                            7.7MB