quasar | c64e3396f244d5442a404688df8482d7193dc8fdaec53c55985eedd75b8c38c1

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

f367a45a5d494d19bcc5f62be92573a9
SHA1

869de872df89891e73fc3e7cb697631cc08c11a8
SHA256

c64e3396f244d5442a404688df8482d7193dc8fdaec53c55985eedd75b8c38c1
SHA512

568fda33b842750113f5d8f027adb6f8111a48a6378cd881c09ddcd643061444f811f2724c34f61a98c8d77c71f75c41be06b6b1e223cabc6a52895fe039fd74
SSDEEP

49152:7vUuf2NUaNmwzPWlvdaKM7ZxTw+DtmamzLpoGdIcsTHHB72eh2NT:7vDf2NUaNmwzPWlvdaB7ZxTw+Dtmd

Score

10^/10

quasar testvps discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

TestVPS

57.129.67.71:4782

ByKami-35613.portmap.host:35613

Mutex

d81e25ce-e597-4c30-883b-6512e05b4d3f

Attributes

encryption_key
5F806F6FD612F4EFC8A3C6F274ACEA836FE88EB8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
HeheThatsQuasar
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2932-1-0x00000000011B0000-0x00000000014D4000-memory.dmp	family_quasar
behavioral1/memory/604-22-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
behavioral1/memory/784-41-0x0000000000320000-0x0000000000644000-memory.dmp	family_quasar
behavioral1/memory/2564-51-0x0000000000100000-0x0000000000424000-memory.dmp	family_quasar
behavioral1/memory/2116-62-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/memory/1524-72-0x00000000010F0000-0x0000000001414000-memory.dmp	family_quasar
behavioral1/memory/1740-101-0x00000000001C0000-0x00000000004E4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2268	PING.EXE
2112	PING.EXE
1168	PING.EXE
1792	PING.EXE
2128	PING.EXE
1968	PING.EXE
664	PING.EXE
2636	PING.EXE
2444	PING.EXE
1460	PING.EXE

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2268	PING.EXE
1168	PING.EXE
1460	PING.EXE
1968	PING.EXE
2112	PING.EXE
664	PING.EXE
2636	PING.EXE
1792	PING.EXE
2444	PING.EXE
2128	PING.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exe

description	pid	Process
Token: SeDebugPrivilege	2932	Client-built.exe
Token: SeDebugPrivilege	2860	Client-built.exe
Token: SeDebugPrivilege	604	Client-built.exe
Token: SeDebugPrivilege	1092	Client-built.exe
Token: SeDebugPrivilege	784	Client-built.exe
Token: SeDebugPrivilege	2564	Client-built.exe
Token: SeDebugPrivilege	2116	Client-built.exe
Token: SeDebugPrivilege	1524	Client-built.exe
Token: SeDebugPrivilege	2848	Client-built.exe
Token: SeDebugPrivilege	1656	Client-built.exe
Token: SeDebugPrivilege	1740	Client-built.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exe

pid	Process
2932	Client-built.exe
2860	Client-built.exe
604	Client-built.exe
1092	Client-built.exe
784	Client-built.exe
2564	Client-built.exe
2116	Client-built.exe
1524	Client-built.exe
2848	Client-built.exe
1656	Client-built.exe
1740	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exe

description	pid	Process	procid_target
PID 2932 wrote to memory of 2320	2932	Client-built.exe	30
PID 2932 wrote to memory of 2320	2932	Client-built.exe	30
PID 2932 wrote to memory of 2320	2932	Client-built.exe	30
PID 2320 wrote to memory of 2704	2320	cmd.exe	32
PID 2320 wrote to memory of 2704	2320	cmd.exe	32
PID 2320 wrote to memory of 2704	2320	cmd.exe	32
PID 2320 wrote to memory of 2268	2320	cmd.exe	33
PID 2320 wrote to memory of 2268	2320	cmd.exe	33
PID 2320 wrote to memory of 2268	2320	cmd.exe	33
PID 2320 wrote to memory of 2860	2320	cmd.exe	34
PID 2320 wrote to memory of 2860	2320	cmd.exe	34
PID 2320 wrote to memory of 2860	2320	cmd.exe	34
PID 2860 wrote to memory of 1456	2860	Client-built.exe	36
PID 2860 wrote to memory of 1456	2860	Client-built.exe	36
PID 2860 wrote to memory of 1456	2860	Client-built.exe	36
PID 1456 wrote to memory of 1964	1456	cmd.exe	38
PID 1456 wrote to memory of 1964	1456	cmd.exe	38
PID 1456 wrote to memory of 1964	1456	cmd.exe	38
PID 1456 wrote to memory of 1968	1456	cmd.exe	39
PID 1456 wrote to memory of 1968	1456	cmd.exe	39
PID 1456 wrote to memory of 1968	1456	cmd.exe	39
PID 1456 wrote to memory of 604	1456	cmd.exe	40
PID 1456 wrote to memory of 604	1456	cmd.exe	40
PID 1456 wrote to memory of 604	1456	cmd.exe	40
PID 604 wrote to memory of 3012	604	Client-built.exe	41
PID 604 wrote to memory of 3012	604	Client-built.exe	41
PID 604 wrote to memory of 3012	604	Client-built.exe	41
PID 3012 wrote to memory of 1996	3012	cmd.exe	43
PID 3012 wrote to memory of 1996	3012	cmd.exe	43
PID 3012 wrote to memory of 1996	3012	cmd.exe	43
PID 3012 wrote to memory of 2112	3012	cmd.exe	44
PID 3012 wrote to memory of 2112	3012	cmd.exe	44
PID 3012 wrote to memory of 2112	3012	cmd.exe	44
PID 3012 wrote to memory of 1092	3012	cmd.exe	45
PID 3012 wrote to memory of 1092	3012	cmd.exe	45
PID 3012 wrote to memory of 1092	3012	cmd.exe	45
PID 1092 wrote to memory of 820	1092	Client-built.exe	46
PID 1092 wrote to memory of 820	1092	Client-built.exe	46
PID 1092 wrote to memory of 820	1092	Client-built.exe	46
PID 820 wrote to memory of 1576	820	cmd.exe	48
PID 820 wrote to memory of 1576	820	cmd.exe	48
PID 820 wrote to memory of 1576	820	cmd.exe	48
PID 820 wrote to memory of 1168	820	cmd.exe	49
PID 820 wrote to memory of 1168	820	cmd.exe	49
PID 820 wrote to memory of 1168	820	cmd.exe	49
PID 820 wrote to memory of 784	820	cmd.exe	50
PID 820 wrote to memory of 784	820	cmd.exe	50
PID 820 wrote to memory of 784	820	cmd.exe	50
PID 784 wrote to memory of 2052	784	Client-built.exe	51
PID 784 wrote to memory of 2052	784	Client-built.exe	51
PID 784 wrote to memory of 2052	784	Client-built.exe	51
PID 2052 wrote to memory of 1532	2052	cmd.exe	53
PID 2052 wrote to memory of 1532	2052	cmd.exe	53
PID 2052 wrote to memory of 1532	2052	cmd.exe	53
PID 2052 wrote to memory of 664	2052	cmd.exe	54
PID 2052 wrote to memory of 664	2052	cmd.exe	54
PID 2052 wrote to memory of 664	2052	cmd.exe	54
PID 2052 wrote to memory of 2564	2052	cmd.exe	55
PID 2052 wrote to memory of 2564	2052	cmd.exe	55
PID 2052 wrote to memory of 2564	2052	cmd.exe	55
PID 2564 wrote to memory of 2132	2564	Client-built.exe	56
PID 2564 wrote to memory of 2132	2564	Client-built.exe	56
PID 2564 wrote to memory of 2132	2564	Client-built.exe	56
PID 2132 wrote to memory of 1972	2132	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SImp9omzekc9.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2704
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2268
- - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\lX7ogDm3iZ05.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1964
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1968
    - - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:604
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z4eNFYa7QO1s.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GovsBCgweon5.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XPJkNnTnu93W.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QlYC6yG33Frv.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2TFnutqyuQc9.bat" "
        14⤵
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\24G2EaXkxr4k.bat" "
        16⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdqUV5VX4kk1.bat" "
        18⤵
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FfIct2SaNbet.bat" "
        20⤵
        
        PID:3024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24G2EaXkxr4k.bat

Filesize
209B

MD5
a5673c2634a7691e319fc73db27516d2

SHA1
b85652cce66ef314c977ad1b212d0fed257eca90

SHA256
2cafec5214c0af6ba2cfa092592cd2195b5603051290e1cb0479b2022655fc00

SHA512
afafca00b0f61447e1a4e0e5d0c8ba138411a3c569751b0e05f508a851a92cdc12c30e142b8653d142b15e7aada109f50e694155024a14d58f0962d2ba332c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\2TFnutqyuQc9.bat

Filesize
209B

MD5
4db614471b5799c18d8881d5a1d9ac77

SHA1
1ab1121e5ba240cafe7e15a5d78eb805e6882d1b

SHA256
e0a57bff0c6dd2a504058ae53824fbf6f144631362088d6b43695205cc7a5668

SHA512
2d6204c17a3614cb6d54b0842a2fe60c37af076569da7d5aba1a765893c3c1efe7cdb2884bdbbfe77c2e296e7d89901cbc4274e6a7818f6a5957aa53a7f388c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FfIct2SaNbet.bat

Filesize
209B

MD5
19dfbfa5f94785670b6c8598b87fa688

SHA1
794766ae18c561cebfbd4c1fdc781732bc44eff9

SHA256
2358e64214fb627f5ef1954db509b48bebc2f2a71209123ac2c7b79f26e5ab6a

SHA512
45bdac9aefbd4a10506de84afa7c1f527c8fb8c42312f74a56d1287f9276d9db962ffeccc163910d9e4b019c7a78c78b0563f0b598df0ecc171c218af83fecfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GovsBCgweon5.bat

Filesize
209B

MD5
3aca044a05f4cf0e577dfe86a992b475

SHA1
a148d031a4b24ccc83a014d25fff8db3ba2dae88

SHA256
86eee23d6905e7cb50cf9fabb1fe07e043086e52d1d0017130c38ef368fbce78

SHA512
6049e2702886f43188ddbd20b12173424773735353354a0dfeda7be3374dbdad11906aa96510ddfd3898827d4e8ea0c4cbef050651412300be4917ddc0d45475

Download Submit
C:\Users\Admin\AppData\Local\Temp\QlYC6yG33Frv.bat

Filesize
209B

MD5
a5e17fce0ed2ebf750328706110ffa5f

SHA1
99098c80f627871311773191b7fe3a573e3cdc1e

SHA256
5bba5cd15b80d909850bbccaa8be81525c1293834b708c9f1d700b8b5a69f3a9

SHA512
f5dda6d390bab74019401ee58b25f51fa29f4ed9ba59477588b03bb77fe0782a65d219af1d47d5d6a070a7125b4fb7c0b99e699bc98d9a004fc79e248e4a1218

Download Submit
C:\Users\Admin\AppData\Local\Temp\SImp9omzekc9.bat

Filesize
209B

MD5
7e9593a3f1e757ae739b2a7f041ca295

SHA1
00475b88e026d44d8506a33b065cb56d24a5b3f8

SHA256
5284602c1b91acc553cbc14cd7f9de2b5d13d48d4a0574bc40c082457172a3c2

SHA512
cb323d568ff3e0f88ce71b56533de7953ec1cbd0efc25322a04b2da7c9d3fce0b82dc8118a8adcbdae253da737201d2ffded8ff3216643855d7c302bfb73f155

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPJkNnTnu93W.bat

Filesize
209B

MD5
95190904ddb70a16495ec57e009ba9b5

SHA1
b72bdb1e674c57c519a3de410a0e09733f194479

SHA256
bcf489ec0b9d56afebeffcfcf569ca9aeb117c76d7e7b70b6b665c362a0d720e

SHA512
539db38393e8b715c5fa875645832e71755fa2d07cf734e7402de2b5929bc0fc442971b03968ff964567c067c39a54b8fca805e32f6a8ef1c788a59f77af4cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdqUV5VX4kk1.bat

Filesize
209B

MD5
d3bcdda29fc2d418bee81c94e6061fc2

SHA1
f815400b6f01c7bf1dd1f48c38ec9c31475c0cd2

SHA256
473440b1a6879c00188732cb7c3224856bf6baf893ef118a270a66b711929c94

SHA512
b5c1283bf9dbfc206ab19b5c26a4d5d7f82f81903846b4019f7bf9e841ff2c413cd083ad447cfdb5a50262038d1464fd40a339f91ac6961f7c190b074f9853e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4eNFYa7QO1s.bat

Filesize
209B

MD5
468aa762a80e247323aa19c7fa7302b0

SHA1
237eb690bddf092e9341cdb4a2c70da756983525

SHA256
e26ec20e32a3c8f127e8a2bfb7d5538f09eb30427b9034d6334e50341077bd78

SHA512
8ee3400af817f4c2fd2d61aabf70aad98e624b5c12e2b0f905ecc4b9f493ddf19a63042b53a119301296c3e367bdef8b53f66f33a5dc1fbe66d51d474986df63

Download Submit
C:\Users\Admin\AppData\Local\Temp\lX7ogDm3iZ05.bat

Filesize
209B

MD5
39fd1a0e91b2c5d9f3a93dd54f8e7bb8

SHA1
bf1d15fdf07461cd6704ad39897966efd0e79c50

SHA256
5de795157aa4d17bb170d5493cef93982c9c7641e6d48409e9da78e8ed8dbbe5

SHA512
106a2acdb3494e712e3eb390a0da2a0344ce7bad7242e8d6dbe8eb32674a4005e649ae92e9f8aefb89b118a3419340d3eedfd82d67f93e281e90966c2cd170d3

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/604-22-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download
memory/784-41-0x0000000000320000-0x0000000000644000-memory.dmp

Filesize
3.1MB

Download
memory/1524-72-0x00000000010F0000-0x0000000001414000-memory.dmp

Filesize
3.1MB

Download
memory/1740-101-0x00000000001C0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download
memory/2116-62-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/2564-51-0x0000000000100000-0x0000000000424000-memory.dmp

Filesize
3.1MB

Download
memory/2932-12-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp

Filesize
4KB

Download
memory/2932-1-0x00000000011B0000-0x00000000014D4000-memory.dmp

Filesize
3.1MB

Download