Analysis
-
max time kernel
137s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 02:15
Static task
static1
Behavioral task
behavioral1
Sample
aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe
Resource
win7-20231023-en
General
-
Target
aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe
-
Size
155.0MB
-
MD5
64282b6b4d579449c2ad7799f06f86b6
-
SHA1
2b468af1d1a656d666d8137cb1ca42476d975643
-
SHA256
aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c
-
SHA512
1474b425d80eae5507d76235ff08dde303d1d4ef8287ef408621530fe9ae7983a5face388968b078671b6db0bc85053e80a600eeaafddd67b7b980ded9579977
-
SSDEEP
1572864:gFysNpDQKKr7VskunAMTp9d6vN2EzzyPsYpeU9EK:g4snQ/rxsnnAw6vUEzlYB
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.10.145:4782
4f9fc524-eb7d-412c-82e9-60d973f2e68b
-
encryption_key
25C16D5BA2F06B33ED6B1D041FCCCC89A74FFA91
-
install_name
System32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 7 IoCs
resource yara_rule behavioral1/files/0x00070000000120ca-6.dat family_quasar behavioral1/files/0x00070000000120ca-7.dat family_quasar behavioral1/memory/2700-8-0x0000000000F60000-0x0000000001284000-memory.dmp family_quasar behavioral1/files/0x002e000000014702-12.dat family_quasar behavioral1/files/0x002e000000014702-14.dat family_quasar behavioral1/files/0x002e000000014702-15.dat family_quasar behavioral1/memory/2580-17-0x00000000001F0000-0x0000000000514000-memory.dmp family_quasar -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
pid Process 2700 wwwwwww.exe 2580 System32.exe 2568 NovaInstaller.exe 2056 windowsdesktop-runtime-6.0.15-win-x64.exe 2352 windowsdesktop-runtime-6.0.15-win-x64.exe -
Loads dropped DLL 11 IoCs
pid Process 2852 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 2568 NovaInstaller.exe 2568 NovaInstaller.exe 2568 NovaInstaller.exe 1232 Process not Found 2056 windowsdesktop-runtime-6.0.15-win-x64.exe 2692 WerFault.exe 2692 WerFault.exe 2692 WerFault.exe 2692 WerFault.exe 2692 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0f39db03-9030-48f3-82ef-5384bed81d85} = "\"C:\\ProgramData\\Package Cache\\{0f39db03-9030-48f3-82ef-5384bed81d85}\\windowsdesktop-runtime-6.0.21-win-x64.exe\" /burn.runonce" windowsdesktop-runtime-6.0.21-win-x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\SubDir\System32.exe wwwwwww.exe File opened for modification C:\Windows\system32\SubDir\System32.exe wwwwwww.exe File opened for modification C:\Windows\system32\SubDir wwwwwww.exe File opened for modification C:\Windows\system32\SubDir\System32.exe System32.exe File opened for modification C:\Windows\system32\SubDir System32.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.21 (x64).swidtag windowsdesktop-runtime-6.0.21-win-x64.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log windowsdesktop-runtime-6.0.21-win-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2692 2352 WerFault.exe 34 -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\Version = "6.0.21.32717" windowsdesktop-runtime-6.0.21-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.21 (x64)" windowsdesktop-runtime-6.0.21-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\Dependents\{0f39db03-9030-48f3-82ef-5384bed81d85} windowsdesktop-runtime-6.0.21-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\Dependents windowsdesktop-runtime-6.0.21-win-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85} windowsdesktop-runtime-6.0.21-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\ = "{0f39db03-9030-48f3-82ef-5384bed81d85}" windowsdesktop-runtime-6.0.21-win-x64.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 NovaInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 NovaInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 NovaInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 NovaInstaller.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2700 wwwwwww.exe Token: SeDebugPrivilege 2580 System32.exe Token: SeDebugPrivilege 2568 NovaInstaller.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2580 System32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2580 System32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2700 2852 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 28 PID 2852 wrote to memory of 2700 2852 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 28 PID 2852 wrote to memory of 2700 2852 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 28 PID 2700 wrote to memory of 2580 2700 wwwwwww.exe 29 PID 2700 wrote to memory of 2580 2700 wwwwwww.exe 29 PID 2700 wrote to memory of 2580 2700 wwwwwww.exe 29 PID 2852 wrote to memory of 2568 2852 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 32 PID 2852 wrote to memory of 2568 2852 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 32 PID 2852 wrote to memory of 2568 2852 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe 32 PID 2568 wrote to memory of 2056 2568 NovaInstaller.exe 33 PID 2568 wrote to memory of 2056 2568 NovaInstaller.exe 33 PID 2568 wrote to memory of 2056 2568 NovaInstaller.exe 33 PID 2568 wrote to memory of 2056 2568 NovaInstaller.exe 33 PID 2568 wrote to memory of 2056 2568 NovaInstaller.exe 33 PID 2568 wrote to memory of 2056 2568 NovaInstaller.exe 33 PID 2568 wrote to memory of 2056 2568 NovaInstaller.exe 33 PID 2056 wrote to memory of 2352 2056 windowsdesktop-runtime-6.0.15-win-x64.exe 34 PID 2056 wrote to memory of 2352 2056 windowsdesktop-runtime-6.0.15-win-x64.exe 34 PID 2056 wrote to memory of 2352 2056 windowsdesktop-runtime-6.0.15-win-x64.exe 34 PID 2056 wrote to memory of 2352 2056 windowsdesktop-runtime-6.0.15-win-x64.exe 34 PID 2056 wrote to memory of 2352 2056 windowsdesktop-runtime-6.0.15-win-x64.exe 34 PID 2056 wrote to memory of 2352 2056 windowsdesktop-runtime-6.0.15-win-x64.exe 34 PID 2056 wrote to memory of 2352 2056 windowsdesktop-runtime-6.0.15-win-x64.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe"C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe"C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\SubDir\System32.exe"C:\Windows\system32\SubDir\System32.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2580
-
-
-
C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe"windowsdesktop-runtime-6.0.15-win-x64.exe" /S3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe"C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe" -burn.filehandle.attached=184 -burn.filehandle.self=192 /S4⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe"C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe" -q -burn.elevated BurnPipe.{BFD06905-3FC7-41AE-8DDF-8872F31DDB7D} {607D96EA-69A2-43BE-AFEF-AA2E8D611217} 23525⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 3325⤵
- Loads dropped DLL
- Program crash
PID:2692
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\{0f39db03-9030-48f3-82ef-5384bed81d85}\windowsdesktop-runtime-6.0.21-win-x64.exe
Filesize610KB
MD5ff67a2a55ed6998ab527273d547fc00f
SHA1852712b95ca05de8f336f07ff9ac672281b91215
SHA25671dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA51248eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58607a9247810ad6029d0dca93c2b76aa
SHA1e56cd3223c14833400c81afeac451d1558cd7249
SHA256e6953f66a991dcb92d77640475077318dc9da139d4ecc821c1a6bc9f4622af82
SHA5127ba98b07247d084ebb21ca0641fdfbdb5291e98752d1f5354df951a48e0b70e9abd19b620ad57703eb33987b19a3ec85721a074ff9f83219a0fe8854384fd2ec
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
152.1MB
MD56196a6ac54713dc0d11c7ebab96bc6d0
SHA1594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA25674db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7
-
Filesize
152.1MB
MD56196a6ac54713dc0d11c7ebab96bc6d0
SHA1594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA25674db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
54.7MB
MD51a6d60add2d112dd73e83fb46dca474d
SHA18b374a54f508cfdb8c8176bfaef96f37edf7170b
SHA256aa0c922c9c65f11b75747343b4711a0bdc8dc8ac1bd38da7c3ecd01ce28c8545
SHA51249192c5141bb04dc19483e8b1adec9c6f56fa54ef8c55e2f4fa4aae73abf9119bb7b1dff3d8f9b3307c50de8989669398a5f6d8dc4323b81b6a1def5ee6c6e79
-
Filesize
54.7MB
MD51a6d60add2d112dd73e83fb46dca474d
SHA18b374a54f508cfdb8c8176bfaef96f37edf7170b
SHA256aa0c922c9c65f11b75747343b4711a0bdc8dc8ac1bd38da7c3ecd01ce28c8545
SHA51249192c5141bb04dc19483e8b1adec9c6f56fa54ef8c55e2f4fa4aae73abf9119bb7b1dff3d8f9b3307c50de8989669398a5f6d8dc4323b81b6a1def5ee6c6e79
-
Filesize
3.1MB
MD57404ded83ef64d354248abcd89e798ef
SHA156c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA25657317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26
-
Filesize
3.1MB
MD57404ded83ef64d354248abcd89e798ef
SHA156c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA25657317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26
-
Filesize
3.1MB
MD57404ded83ef64d354248abcd89e798ef
SHA156c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA25657317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26
-
Filesize
3.1MB
MD57404ded83ef64d354248abcd89e798ef
SHA156c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA25657317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26
-
C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe
Filesize610KB
MD5ff67a2a55ed6998ab527273d547fc00f
SHA1852712b95ca05de8f336f07ff9ac672281b91215
SHA25671dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA51248eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9
-
Filesize
3.1MB
MD57404ded83ef64d354248abcd89e798ef
SHA156c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA25657317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26
-
\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\D3DCompiler_47_cor3.dll
Filesize4.7MB
MD52191e768cc2e19009dad20dc999135a3
SHA1f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA2567353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA5125adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
-
\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\PresentationNative_cor3.dll
Filesize1.2MB
MD5c7bcc68b81e965fe74ef58d503c58deb
SHA199990f204f7318eeb8de6f9664ebcd0d42ea81b7
SHA25606cb4da78f5cfddece86329241a2af9d6390ce1082b02f7db2e3bf320215a23e
SHA512cab2bc27eca0ee097324a2471c8228f1723cfef5df9971359eec7710082c122b26a7aa1d1e6faab75389438a358bbff2973ad67e8dd9046455b4c4ac880d858c
-
Filesize
1.9MB
MD51b01746fe61beb761a643050823190b0
SHA1927b12e4a733bcc51545c6a005838a24b8dc4dda
SHA256f8c4d6eb1cfa9c5b6fb322a0c818a4f5d5ee44043c259e0262c0460513953fb8
SHA51283eeb187e554588a5a4efbce0fcb7e9c30e718ec9f6d797a7add28036e3d4506cd3e78386522467d7ac967a60ac509a23edd79a1b9032a7e230d980b9f36080a
-
Filesize
152.1MB
MD56196a6ac54713dc0d11c7ebab96bc6d0
SHA1594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA25674db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7
-
Filesize
152.1MB
MD56196a6ac54713dc0d11c7ebab96bc6d0
SHA1594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA25674db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7
-
Filesize
610KB
MD5ff67a2a55ed6998ab527273d547fc00f
SHA1852712b95ca05de8f336f07ff9ac672281b91215
SHA25671dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA51248eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9
-
Filesize
610KB
MD5ff67a2a55ed6998ab527273d547fc00f
SHA1852712b95ca05de8f336f07ff9ac672281b91215
SHA25671dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA51248eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9
-
Filesize
610KB
MD5ff67a2a55ed6998ab527273d547fc00f
SHA1852712b95ca05de8f336f07ff9ac672281b91215
SHA25671dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA51248eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9
-
Filesize
610KB
MD5ff67a2a55ed6998ab527273d547fc00f
SHA1852712b95ca05de8f336f07ff9ac672281b91215
SHA25671dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA51248eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9
-
Filesize
610KB
MD5ff67a2a55ed6998ab527273d547fc00f
SHA1852712b95ca05de8f336f07ff9ac672281b91215
SHA25671dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA51248eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9
-
Filesize
610KB
MD5ff67a2a55ed6998ab527273d547fc00f
SHA1852712b95ca05de8f336f07ff9ac672281b91215
SHA25671dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA51248eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9