quasar | 33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4b

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/11/2024, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe
Size

3.8MB
MD5

74eda795d396603a1b46b93eb10d72f0
SHA1

5ef9985f0ebb66336125f4751c7da012582c9dd4
SHA256

33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4b
SHA512

ef87c84b8d8238d8cbf58b2db4f06cabcd9f5c6471e73d5c30f877084586045dbe9ee47ac275bf59d37b66b9aa2a41809561d0aa3dcae43400c0f1537c5668c4
SSDEEP

98304:CUBpeT0riOfERBGWQMYEUDPeuetEnEP4UTfGpFvMvh1u:CUBpeT0unRPQhCuMKUbGpxch1u

Score

10^/10

quasar 26-11 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

26-11

maxigym.net:4782

Mutex

579ac83a-8fa5-4dbc-8dcc-c76fafec1a69

Attributes

encryption_key
DD459BB92A43EF8EEB2FE401C8453F685AECE590
install_name
ChromiumDaemon.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Chromium Extentions Service
subdirectory
ChromiumExtentions

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/1700-586-0x0000000000440000-0x000000000079C000-memory.dmp	family_quasar
behavioral1/memory/1700-588-0x0000000000440000-0x000000000079C000-memory.dmp	family_quasar
behavioral1/memory/1700-589-0x0000000000440000-0x000000000079C000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 596 created 1208	596	Sanyo.com	21
PID 596 created 1208	596	Sanyo.com	21

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HealthHubX.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HealthHubX.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
596	Sanyo.com
1700	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2768	cmd.exe
596	Sanyo.com
1700	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2640	tasklist.exe
1856	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\TalentLeast	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe
File opened for modification	C:\Windows\MouthDl	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe
File opened for modification	C:\Windows\MotelGroove	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe
File opened for modification	C:\Windows\UpdatesPlugins	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe
File opened for modification	C:\Windows\RotationProperties	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe
File opened for modification	C:\Windows\RelyUsually	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sanyo.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Office loads VBA resources, possible macro or embedded object present

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1368	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
888	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	tasklist.exe
Token: SeDebugPrivilege	1856	tasklist.exe
Token: SeDebugPrivilege	1700	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
596	Sanyo.com
596	Sanyo.com
596	Sanyo.com

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
888	WINWORD.EXE
888	WINWORD.EXE
1700	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2768	1964	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe	30
PID 1964 wrote to memory of 2768	1964	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe	30
PID 1964 wrote to memory of 2768	1964	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe	30
PID 1964 wrote to memory of 2768	1964	33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe	30
PID 2768 wrote to memory of 2640	2768	cmd.exe	33
PID 2768 wrote to memory of 2640	2768	cmd.exe	33
PID 2768 wrote to memory of 2640	2768	cmd.exe	33
PID 2768 wrote to memory of 2640	2768	cmd.exe	33
PID 2768 wrote to memory of 2892	2768	cmd.exe	34
PID 2768 wrote to memory of 2892	2768	cmd.exe	34
PID 2768 wrote to memory of 2892	2768	cmd.exe	34
PID 2768 wrote to memory of 2892	2768	cmd.exe	34
PID 2768 wrote to memory of 1856	2768	cmd.exe	36
PID 2768 wrote to memory of 1856	2768	cmd.exe	36
PID 2768 wrote to memory of 1856	2768	cmd.exe	36
PID 2768 wrote to memory of 1856	2768	cmd.exe	36
PID 2768 wrote to memory of 1532	2768	cmd.exe	37
PID 2768 wrote to memory of 1532	2768	cmd.exe	37
PID 2768 wrote to memory of 1532	2768	cmd.exe	37
PID 2768 wrote to memory of 1532	2768	cmd.exe	37
PID 2768 wrote to memory of 640	2768	cmd.exe	38
PID 2768 wrote to memory of 640	2768	cmd.exe	38
PID 2768 wrote to memory of 640	2768	cmd.exe	38
PID 2768 wrote to memory of 640	2768	cmd.exe	38
PID 2768 wrote to memory of 1948	2768	cmd.exe	39
PID 2768 wrote to memory of 1948	2768	cmd.exe	39
PID 2768 wrote to memory of 1948	2768	cmd.exe	39
PID 2768 wrote to memory of 1948	2768	cmd.exe	39
PID 2768 wrote to memory of 596	2768	cmd.exe	40
PID 2768 wrote to memory of 596	2768	cmd.exe	40
PID 2768 wrote to memory of 596	2768	cmd.exe	40
PID 2768 wrote to memory of 596	2768	cmd.exe	40
PID 2768 wrote to memory of 1820	2768	cmd.exe	41
PID 2768 wrote to memory of 1820	2768	cmd.exe	41
PID 2768 wrote to memory of 1820	2768	cmd.exe	41
PID 2768 wrote to memory of 1820	2768	cmd.exe	41
PID 596 wrote to memory of 1584	596	Sanyo.com	42
PID 596 wrote to memory of 1584	596	Sanyo.com	42
PID 596 wrote to memory of 1584	596	Sanyo.com	42
PID 596 wrote to memory of 1584	596	Sanyo.com	42
PID 596 wrote to memory of 1200	596	Sanyo.com	44
PID 596 wrote to memory of 1200	596	Sanyo.com	44
PID 596 wrote to memory of 1200	596	Sanyo.com	44
PID 596 wrote to memory of 1200	596	Sanyo.com	44
PID 1584 wrote to memory of 1368	1584	cmd.exe	45
PID 1584 wrote to memory of 1368	1584	cmd.exe	45
PID 1584 wrote to memory of 1368	1584	cmd.exe	45
PID 1584 wrote to memory of 1368	1584	cmd.exe	45
PID 596 wrote to memory of 1700	596	Sanyo.com	47
PID 596 wrote to memory of 1700	596	Sanyo.com	47
PID 596 wrote to memory of 1700	596	Sanyo.com	47
PID 596 wrote to memory of 1700	596	Sanyo.com	47
PID 596 wrote to memory of 1700	596	Sanyo.com	47
PID 596 wrote to memory of 1700	596	Sanyo.com	47
PID 596 wrote to memory of 1700	596	Sanyo.com	47
PID 596 wrote to memory of 1700	596	Sanyo.com	47
PID 596 wrote to memory of 1700	596	Sanyo.com	47
PID 1700 wrote to memory of 888	1700	RegAsm.exe	48
PID 1700 wrote to memory of 888	1700	RegAsm.exe	48
PID 1700 wrote to memory of 888	1700	RegAsm.exe	48
PID 1700 wrote to memory of 888	1700	RegAsm.exe	48
PID 888 wrote to memory of 1308	888	WINWORD.EXE	50
PID 888 wrote to memory of 1308	888	WINWORD.EXE	50
PID 888 wrote to memory of 1308	888	WINWORD.EXE	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe
  "C:\Users\Admin\AppData\Local\Temp\33c16415bb86e33f9c9b5e37a20b875df320cc40f5a1d8d7c067279f1ca04b4bN.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Recording Recording.cmd && Recording.cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 483308
      4⤵
      System Location Discovery: System Language Discovery
      PID:640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Reliability + ..\Trick + ..\Spas + ..\Jose + ..\Integration + ..\Rap + ..\Animated + ..\Replace + ..\Electron + ..\Antique + ..\Twin + ..\Lows + ..\Citizenship + ..\Guru + ..\Donald + ..\Issn + ..\Shipments + ..\Specialist + ..\Riding + ..\Sum + ..\Central + ..\Fl + ..\September + ..\Dsl + ..\Rent + ..\Achievement + ..\Justice + ..\Cents + ..\Charlotte + ..\Florence + ..\Ip + ..\Wiley + ..\Facing + ..\Stating + ..\Patio + ..\Portal + ..\Nudity + ..\Airline + ..\Lauren + ..\Attacked + ..\Hurricane + ..\Amongst + ..\Coal + ..\Disable i
      4⤵
      System Location Discovery: System Language Discovery
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\483308\Sanyo.com
      Sanyo.com i
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Users\Admin\AppData\Local\Temp\483308\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\483308\RegAsm.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Переход на ПАК.docx"
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        7⤵
        
        PID:1308
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Forgot" /tr "wscript //B 'C:\Users\Admin\AppData\Local\HealthHub Dynamics Inc\HealthHubX.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Forgot" /tr "wscript //B 'C:\Users\Admin\AppData\Local\HealthHub Dynamics Inc\HealthHubX.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HealthHubX.url" & echo URL="C:\Users\Admin\AppData\Local\HealthHub Dynamics Inc\HealthHubX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HealthHubX.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\483308\i

Filesize
3.1MB

MD5
cc472759ffbc81606936e0ff3969d103

SHA1
195f58beffc97b927468858d3f46508cb0b3e3ed

SHA256
984b3f4579b1c0d35fa5a8b7380e5c98d752143b8312b6c52ddcfd34e4a2775c

SHA512
b0669982d8a2cb93fd15d0facaa652abb7d9bcb6a267bea319368708b7fd883c90930ae0eec85eec07596e57fa68b9fe79946fd31aab0a4407b93320695c1779

Download Submit
C:\Users\Admin\AppData\Local\Temp\Achievement

Filesize
80KB

MD5
eb242f3b0791b33b0301e88e6af51dd4

SHA1
bc2928ad82459d14a49f4782fc4f0bf03a65c7d5

SHA256
6f82b76fadf2a971760a1b63f28f7813c1aa479ed38f625e9124720a9d740bbe

SHA512
8f2255039cc55e3b4381e1bda4fdecb63616cc7acfedebeb8c8f55dd91a726a559d341ae65f728b17b1c8e12962ae42c21ae13906a15f6f66cd2f39866291b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Airline

Filesize
62KB

MD5
9ec543b545d84297362956010b81c024

SHA1
616a38f9a3f729df82912611e6e43059a8e183d8

SHA256
73ce7ce599d81471f1d1cd5a0dff77bb974af616d2195bb56d409a93be24e055

SHA512
81facb6733c6785f28708453b299b4c401e27a33ad9ccd0c50ed7cf25db67d43ead6ac5e7d38fff32e515d235cf1c441bcd8ed4b86c8cc5738e11ef898ada0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amongst

Filesize
72KB

MD5
6f23dd790a433d7cf9b620080c203148

SHA1
6740ad0a55d5ef06567d467945f9af13df39b9f5

SHA256
970721422f28e13ca36bd65f4c31a87ee3ebfd7c041b85c6ab1f33b66c29fbf9

SHA512
14a39a176832526ee93135b921102786a4856a3de7ac0943f2f59095a56237c5a1a9ad42d7693115886258f8e27dd7256812c265251c7c937f777ff267e557d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Animated

Filesize
85KB

MD5
e8c408cef1497a50ff6424ba5e7ca06f

SHA1
393b410ea8b4be674c96c0fde8e6a0d84f73c1e7

SHA256
6b16c9afa9b19dce5ceb569d9fac26f4d4ef6161ceff443b87b186ff6899b7df

SHA512
d773170f50488562d102eeeb041c0ba84b045f7f6228b048f11e5b775073021bf34d74a35c4781b2c528320d4fdb740b3d4ff75400b96945921cc8e14c38cff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antique

Filesize
51KB

MD5
10c762df0eb4a3a73c282a600f856cd0

SHA1
48f5fffcafa88e769388e30e7da56c1917cb7cf4

SHA256
ee2cfc025388142db7180bfb0feba5d5be0518c4e874662258c393aa21840aeb

SHA512
a66245ca1a0e41897c26d3f2d5416fb4086a83482b27e0ff6272157c9f4f41b27325fdd1c77171defb537888f006b63e6a3431dbb0b77e1aee0c2607fa8ab0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Attacked

Filesize
50KB

MD5
e39b53e801a5e78951821e814b623c27

SHA1
2ed98f440c1885401c21517483a6bbb05bc4035a

SHA256
34025bd5436f52b006132b63846b890d94bc753cf54e8389551145f56cb7214d

SHA512
f9bb506eaacfb01cb4bbd747d358b7483cbc54609db4e8784ab30267834c09ae87be31a485a52b26695ebd0f1a6ede6ffd0d42aaec46f230d8d07033adb60e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bridge

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Central

Filesize
80KB

MD5
25567f8904d297cbef3b1c2b671fd5a7

SHA1
7572b3555f01fd7b653a94f89a5b2fcee93a9c8c

SHA256
14cc296920a0de242f25d8c264794f078f5172b90ad4ede56d9fd7d6c057df58

SHA512
da920ebdde09515898f6ccc456e3277ab470a81bbe10372483f481f34f89c6255e1383249f36501f173a39c71213f3d546d8b839e977a434cdd8b2383f0041f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cents

Filesize
51KB

MD5
14502248f1269ec9663edab002073a3e

SHA1
563734bd8d2c1595d3f830197c27257c4f60ac32

SHA256
f94466c12ecdaede3cc3b3811f101e61cd40829657debff61fd4763c761622e9

SHA512
c91352bd1b84e5b3e6b7f350a58bdf9f624301f35cf1ba19996eec04ad6d29d2f849713185d3a4e294ec3d7e64ad5401f6b12576d75371069755ebbe00db3db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Charlotte

Filesize
51KB

MD5
cd19b2c040253e898d430e90aa9030f3

SHA1
575440c197eb080cc1c2dcf1fc31782be914b7c9

SHA256
249a73777303618521fb2762fa093ecf3fe613c480337d1dd8dbc946b77fae60

SHA512
973ce823bda74a56492a4bb365952d6f1fcf57e79f7d9ac15ec9a5780f6425ff765c2f0487e8d64f61107324b17cbd1eef1ee8c846748ea30a7e95a536978652

Download Submit
C:\Users\Admin\AppData\Local\Temp\Citizenship

Filesize
58KB

MD5
88213f18619daed4e330a0214e1bff78

SHA1
1f71394b1b347d1a6617b032a72ddb901892b169

SHA256
0a38149a0fd9892a06b8efc4211ea565ec5086d48eb58445a5c82edc23004a4e

SHA512
6d13dc8dff2753f0e76c7d081150720781281f684ef45c2d8e21322e9bc5f08cc8fb124d5a2300802e594786b5987a8f8b8162a135234d902d75dde3c831cb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coal

Filesize
58KB

MD5
ae91a83e941a3d5b1cc76bbe1f786cbd

SHA1
bfaa616851f2b192b10f5ae66a013fb7982e2127

SHA256
6751c3645d14695e75a7f7f8252ef717ae7d6ecc05f5610335efde3b0add3e57

SHA512
94674daaa3f8bf773b1b45297dcb106f3a4c1645039d98c93ada30de49e83956b8e053b450cdd6f3e63dde951d3449cea747bb652c5b644b7036e36a4cbc0a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disable

Filesize
23KB

MD5
5c81d3deb651ee3134974ebb7dc48b4b

SHA1
8c682a991fe9e9ecae23539e52512f9cc67a75fe

SHA256
6be6dec09b5752037870abff8afbd444e5ded2a2a4ee29eb5f0a9b6e3d294054

SHA512
23c977c45dca124b7bb787cba9f257aa96541f4829ae67a4e9a2451369c5a5c39155c2c01afb9fb3a07de1e79ffcef7d4e7d3aa5f0b3538c80f730b32d1e5877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Donald

Filesize
94KB

MD5
1519d410a229edfe0ab5ae861876554f

SHA1
6bfb4bf0b7d6f1e2912ae6f030b3280f59caebc9

SHA256
1cba3155c25a9af8155c43025656525e84e38f9503fd1c18f5147243f16c8cc1

SHA512
81d3c936a31f170f91260ab026be59497686cb9cf1ebdfeb1f81536cdfd2eebd3220d2ce3ad6a6c9472668b718508bb6da627be25d98d8605bc833d21e0239cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dsl

Filesize
72KB

MD5
9c8eec8d06cd1b99e8b9d13781b491a7

SHA1
9cb5ed46d59eeeb07868b83f8a8fb1c31ff2b0e7

SHA256
38d933812c64379934c0828c6f34fad869ad4b4917e69127e3c7b79c7698ecd3

SHA512
c4b9d53bb6364aad8f7cb0e461738e7c4fb5cd56b523dff2fbf971210bbe1e9ba9a8fc173d17d13a58f00c745a72d67f8d59e2307bd135286b1b5f35272df27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Electron

Filesize
89KB

MD5
87a8b11a42d44bdd76a7e7f13548146b

SHA1
b9f573b3fbedefd22654a1fe3ace0a17645631a7

SHA256
dccb0c1ff9d6d213ebf84c219e557d775c1378a36b531eabca2c292e4b8aa914

SHA512
c19c703b2642f8948453890c98d48930f3db3b11738aaaf5c93721e3a6549d2426a0db4e1beefe805c873e432f2d1372033258e64e8e0be4bea69f96f5c995c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Facing

Filesize
55KB

MD5
d0bb8521e83b4307dd2924f565657963

SHA1
de5a0f38cc2b23bfd9422cf8edccb9f3920d266d

SHA256
c3948ea1a5973358f4dea1418de40ae264d941538de72a7366d71bda2a1a277b

SHA512
8362dd9438d9a5b39263db21350feba2476b1d5902ed9c24756967e3de1b41799e0412204a36ec10c9d049c7b59a2f1bef04ecb8e53aad1e73d0953d5d1d14f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fl

Filesize
69KB

MD5
376115a02ea3e95a57b36ba3ee1a5777

SHA1
bade897d9617444ed470fb1abce02b5b49595d75

SHA256
6d34d1a3c7a2930ce90af1b5ee05942f64f2474304f0986d5eeaf45f179742ad

SHA512
ab06eabe355ad4cf20082717acd628bf6f15990529b3a798a04506ef4b29b81cb1ab2afd5768b2fe568537ff1c29dfc8f52043cc661e056e5332dc5b4f53de82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Florence

Filesize
85KB

MD5
fba2e00a2185f84dca96b2e995a3d2c8

SHA1
2672bb42714aac9d15f59172300f4f17bd2132b0

SHA256
454aad0d629943109834d7dbcc68843aa8b923b7d9430bda7d637f343f66bff7

SHA512
8dcbda0831d5d1484bbfdd0b615544449845499fb012decd894cc6762ba61d16207386e48c98ce61f10235d4b07769fdc467ccc0e1fb61eb23474e51cc27e69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guru

Filesize
73KB

MD5
04d0a4d2bd5864c46292307b75d1d14b

SHA1
b43037e1b63bdb28caa53edbcbe8d3129b6c5244

SHA256
9226172402eceac38afe6d98470b2b7eee94a2414c6a900663fa6e14350f189e

SHA512
7bd5c48987f5219022f9061daa9ed232cd7a2b7fe47be6a9908c4fae102881e744ef5ba7602b2a37209e10787f6b6912ceac1820ca37495c895c3e5e4afff311

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hurricane

Filesize
90KB

MD5
f53a144760a78a9625be62b7518639db

SHA1
4cd5e66b87d3eded8450f53b1b25d32d6e54643f

SHA256
0a1ea95e8c36fc390e179a97c0e9075d5a41d508bc39a12bc4f581314b23d88c

SHA512
0170b4cfb84a29913cfb209cb7029b172bdc27d08a305b262cb1e391e93e50c9d55ef468393b59f3bd9c35ca5556b786f14c61d47ec4a97970631f933e7f7825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Integration

Filesize
95KB

MD5
806b08d3df83526468927563972690cf

SHA1
cfedd2ab39bdf408a48584cc4844368dbbe787ab

SHA256
b9ebbc0935a35f57d86d38d20ce86a2444cf140b1bdc64b4ac131d0783fd19bf

SHA512
2db12c33cd19905301ca5d15360f68786c69386ba2e2b08ed0be7108ad7dcfe67585563b68a6061bc138bcf79de883aa7279a7cfa82c750fc9c7c11138a76afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ip

Filesize
93KB

MD5
3fd1a53019cf01a0d680840d475cfb5c

SHA1
6293f9939325d7cc7655c905c1841a9a98f9681a

SHA256
ab7600e86f55d7cf88dd2af82ebff7db08a5208d2cda02b8aa4af07d12ebf918

SHA512
85d24d9aa940571cd29717914aaaa64976336b8cf2c05d9b659b65035a6580fbc9893736d9f28f455778ee99526a81feb0e18b79211093a4be5b47fb460c3533

Download Submit
C:\Users\Admin\AppData\Local\Temp\Issn

Filesize
50KB

MD5
4bd0297edee2c815b772452785b471fc

SHA1
8a9d2d0f8b883186a5c6c1909b287832c392bb40

SHA256
18f5b457301dc601f33aa4be2afae230da4f81adb85e33c3065ee6a3599b4fd8

SHA512
686d5245e02600f92f52a3eb84bc4fc7ae082bf2c223c1d82c2e265ee6d8d02fd652706f215b987078cef4f85265e295cca7afd5ddd9cc46cda929b061d7b4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jose

Filesize
55KB

MD5
a88fe507d01a1e1217e1bcd165853c0f

SHA1
7c24c758a78ce1a2a04be663d373c2684185ca5c

SHA256
31474c7388d34c6a61c74172c05395bbaf29e8fe01cc22bc56c3f02e972eefe9

SHA512
f1d4e236264d25c3318ff2d24a27401d7b1de8f04fde6f75565c87de103111a86ee44b4b103193b604326e06a04ae51dade2fd078adad698e6b525a273fd8818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Justice

Filesize
78KB

MD5
6f23a20cc4ee3fa11abf7083aaba4ef5

SHA1
6526bc5ef9f261b6d9eefae9617423ae4206c108

SHA256
0df3319d1a86c399a512e7676975139058b68de0ab409a6c1f6adf4f7a4f764a

SHA512
5ece083e11de07e435e80bf3a5a0b2b2b5b07e3179ecc219b0014224c823de706e6c44d9de943293b4f804d945c0d29bce62196c229664ae0be10b0328b5e422

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lauren

Filesize
50KB

MD5
5a81435029653dab697811997ee46867

SHA1
c2718e5bd7b85f243416fabd3fb7ad0fa09bb1ad

SHA256
3dca021f2bf5a57085be04cddf72e51212d1c7249065d5a48517ac71cd53c80c

SHA512
78de32f2af4ceb54c2e75c289adfc0ab45ac6a50b5d56920a6689d2df95701f83501da8ca02fa515182df7e86a1bc36ee3d87f6a649fdb12876a12e6c124c268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lows

Filesize
97KB

MD5
b39494a877e829a20b64974530b47184

SHA1
91eb95c45fa0b2e7b17a5711b0e08f5f5b8fa318

SHA256
6e2c76935051f7e7c6faade87a45e18cee355fb6d46fc2a76d275b9213db9af1

SHA512
8f978790ec283b8fd31197762e3d7c02cc764a5b1d9dafa5c0cc91715f5615576cf0d295172911d31ec3ecf717c1ebb87127ed803a8248036712e98020c9bf16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nudity

Filesize
55KB

MD5
0409a1e94e64105b4248040177112f23

SHA1
4d873e85e1590120d76911d3f990ec2a2a9fdacd

SHA256
39d3ed6c96d9a66efd0df1912efb0ff448ba2bc751f4ef3e61077cf1041b2f30

SHA512
a16b898792a307a99196e18df79cc52ea54161c5d6dd9197dc23342cd287b6f140ec38163ff7644adc3a9cb3273b9731bfef7da6b7fb27f4e09c1834789566d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patio

Filesize
97KB

MD5
77748093a6cbc1779019f4f65fee9512

SHA1
136aa06c042f645df8419cb02fa09b20a8f88ca9

SHA256
6764bb4f665afa196a2c64750bdc7a5eee173db50ed6a0b2a27fefbc1c39e33c

SHA512
ca0f2bea868dc6be40d86359d8de8fa605ba5263c371eef9fd34750e61c4aa3d4ee0eea25a2d107cbe6325f481b7e47ff935c9e6b7fdc88052b9aa774f26dd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Portal

Filesize
66KB

MD5
6cc0571b3851cb75ad1069bb1ef3bc83

SHA1
7b929e1097970396597c2a27e697e3f4794a7de2

SHA256
4748d664900feb65a38a7576b18b12c6d5cb84a3862ddc70af105614dc061b14

SHA512
3dadcf998952eee1f5b1269911012eb7a7d79747038c6154bcad6c61633341b4ba4118e96a85fe307cc2501ef7d5f44edcbc9a49b93534d54e454a0d337718b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rap

Filesize
84KB

MD5
d94b89bb965de5634f2efb7bbdabba7f

SHA1
12da47973f2aa515a02f08c84a965351cf02b3ff

SHA256
96dd4d75f0bf76b92a7387a7708a6ac1f9e9480b6c07791ba9ed607126e4d193

SHA512
fda36dd999b7f3cf31ca13c03656fcc7ea1443f0a42792790289fab03b8f59a7397b0c41a912fac6707f0e0d1a0646590209847ddb43d5b3b9eca4717b840d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recording

Filesize
22KB

MD5
ae230f1a249d0104998eaf2178b61c64

SHA1
860ceb2d700a8753bf9cbee17e48f764851c5cee

SHA256
4bbe44ec6fafd2b20491f9592f33ac8201a7115756c78e71ee5913d1d90ca7cd

SHA512
e199040af1f9f270235dc361c63695806a0b3e34eaab077f31104860f09d2d27d96a465287daefa905d2d3043cb001ef67a8ab5793b049b6cb6db5ebdd4a45c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reliability

Filesize
70KB

MD5
1b06cd2b285bc58341a5a7ed5f2556e0

SHA1
6b4937199af73361955f55188af100b99278d112

SHA256
ff1c89a31170b2fcb9e11eacfaf820e55ca5d2507ab4da4bf1a805d65fca808b

SHA512
ea9fde472874ca747e8a52b3bfd75679982b864f604607dd43efbc392c55a290f288c61765442835b5ccbba73d45815c1d109b1abf467f9e8570932305199630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rent

Filesize
88KB

MD5
c1f99e8480755610dd880e738a91ff35

SHA1
e4f8104c8671556f9424841363ad236c1aeb584e

SHA256
b4e080fa445897e05ff8fef019b778c592dbe98822dde2c75de56a11972e14e7

SHA512
44a800aefc0dcfbd6122ad6ad65c0e780a3c2647a09a84e1550cf9cdea463677364e52959775a71cf416bf78952f4f0777dca827c9e2090508966b62df9a2495

Download Submit
C:\Users\Admin\AppData\Local\Temp\Replace

Filesize
80KB

MD5
666c46f2ec2c702c2088299dc425017a

SHA1
d4ba5278a096d8f4189a5b08f580c2f317dc8b83

SHA256
bfcdf95e1961d4fa6bf727ce59158f34cbea41ebb7b8cb0b6d2f9379f3aac850

SHA512
931265b666d055d0cd16b52002419a351e97c539a20fdd470afbc56c18e333100a8f09dc85a2f6a41ba94e5c14b64a4eecc58596397fd3625a7b59b667f9d2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Riding

Filesize
79KB

MD5
f1134e1e2ceb0caff3e33a61e809f83d

SHA1
96316d754662269cd004c39a550cfb1b142839bb

SHA256
639f809a239e3c7405bccf45c725b69f30b75d91cc1916a9200bc3f2bb474507

SHA512
c9930974e125e6ff55c78c0250b1cdbd1a8c91a4ff42ca91a43219d4b9472f0d5677468bb07fb623c80dac904f7024069837eaec3ad3ad06d08a2548accacbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\September

Filesize
89KB

MD5
44f7fa2933d6e06d9fe8d43b8993b0e1

SHA1
f959e8317321595b01743d3b62c9685a21e3b8b6

SHA256
29f5319a9c0b9a6befadcffb46727186dc52de121fe1123841f90942e8399901

SHA512
690aa3f6a8c6cbf3ad5e575a7817d095b8163d4a6ed3d96ce140a9e14af7d2b67fdd149568adbc94455dd15dfd83e174d90dc3ed8cb6673dbecec5a755ef1402

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shipments

Filesize
63KB

MD5
37583961f7cf98b23758cbddc07308ed

SHA1
6d95d902a93e87118819d085c12ac514903d247c

SHA256
9f7042ce6976eb8bf8449ffe505564c4f7c69b473d3842fa5d4e0e70800838e5

SHA512
fb9f765721caaf68b6d8004b90d6fb5d9585df9ec7c78b21b74dd4b38da81ca9a0da03668877c564daf58903952203855ddade384a227a305d52bef2582a79cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spas

Filesize
73KB

MD5
d2e1f3f04d85ae99aa1585298332a4d9

SHA1
f6e7d45ab869839a8cc449c21df2b7e9389d9c43

SHA256
dc0b986b1c3c029990af08e30703374b8536c75936a14893bb98e89c1ed22dba

SHA512
9d4d851d427a54e999fe9a1c883b9fba67fe2593587b4b636dde55517a4226e0deab6ff91b5cf3b42643cc2ede90ea0b92835682ede0cf9e4caaec8db1c9061b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Specialist

Filesize
85KB

MD5
39c8c33f6be82b2e8a4674adc4dd6ee2

SHA1
bb36069f3cf7045ba8059eb4a9bf2d64a3d7e275

SHA256
b885b50bf26caf86c5dd987cdef3caf4680731848b03524499461d390d0ce5ef

SHA512
28382498286876d6f8345364995e642bae1d3f7e863b8b74fa2f3c196a301b93bc077461b39b3e366f346e740a98564f54863f42f1b3e8d0e4520d886afc7a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stating

Filesize
60KB

MD5
97e1d9c6de42e984fea49b3e9c7e0cec

SHA1
d0561c27dca5e45a27dd81beac3eb2da71f42b9d

SHA256
ecbd47f2334f675e8b93f8be8bd9171c55ddebdb0cf9f84ae22fc278873c6360

SHA512
476eeca851c3e76b03f6442fddfd939556741c877d18597df7c63d0bc393d24aab5d66812dd271caeb410e27e9b6d873dc2d30680f40f7bd50184c9fe1d5755e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sum

Filesize
61KB

MD5
dc6f3e0d816f3f43c9f69632836ab1fe

SHA1
993ea35677106cd22017398d4df00efd998cd9c3

SHA256
13e9da7d24236b70309c6335bc28863002f9745a1c38ef079c793705c8a1460f

SHA512
c3398e57fb64a946de740f95c6506f79b3fa3e931606217e5fe7ff3e33dd6d017070a64ad8ba9bede1a69a7b4d5e9260cff0d9bc658553ce8db9ed9fdfbd4da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trick

Filesize
79KB

MD5
72b4f08f2395ad9dfbd2c146afe01170

SHA1
26b94c559e31156059aca3eac87fd66987f8d116

SHA256
07877832e0bfc26c9c83c03ccbd97958d8d6ac4a6bca1f0600e88b6563dc179f

SHA512
245b8f7cc3c12022f149a587eaa67f0c36e6188bad53fc7c0dffc3bd1fb98f0226cb2b5a9c4a471baf678bb27f279d2aa3d98d5d1e63e373a66b247534358f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twin

Filesize
89KB

MD5
d2717cdb5b89d4dd20497e4be24e5510

SHA1
5cd6b36405771ec1567e892433ef03565de7397e

SHA256
b2ec14174a6c189d23f73fe8ae68198b8d4e5d690dc860a066af94e9fb3d1f11

SHA512
47db95e7ff3771506e6cd8bb7ef8434446e34174c5e9c9b00c499b5a59e5a38625c1179b7faa81d8be511a8e28e7ca0d8223f0f112508a87840d51b9d6a95898

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wiley

Filesize
56KB

MD5
7aff7a4d8631bbdbf585b6905061fedb

SHA1
e9865cafd0d86f41f65dcc8d59feda2047e57f96

SHA256
4add46a28dbe66074fbea4c820aa2eccf9f8269336e7871132d06f4e9aa65fcd

SHA512
953ed528bcfc8bc5ece48c72c18ed1bfc887145e272885f5eb4276876ead353973b68a996914fd7103497c82a3ec3a395e0bc2a8a519280e034321bac8643649

Download Submit
C:\Users\Admin\AppData\Local\Temp\Переход на ПАК.docx

Filesize
62KB

MD5
262f8d916441889cce1935553cb04fc4

SHA1
b3d0b27089b73cedbb9cce7ebc7aacf8f80f3bdf

SHA256
7a63f144269f8ad71e6babdf611c43563ba1d9c6ac353dfe841619e1f69d8681

SHA512
ccb45c2a1e2e0c1d6761a464a4f617e56623eae783ef7b83cbcdbe745ebbf6f67acaf1c373f2ce10a6c4b8c970140fa793d93187cab8443d364b4e102f34ee50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\483308\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/888-593-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1700-586-0x0000000000440000-0x000000000079C000-memory.dmp

Filesize
3.4MB

Download
memory/1700-588-0x0000000000440000-0x000000000079C000-memory.dmp

Filesize
3.4MB

Download
memory/1700-589-0x0000000000440000-0x000000000079C000-memory.dmp

Filesize
3.4MB

Download