quasar | 742b7f6f9540d326cc531b10eee061dbe0bcb385ff1e0d6c854f6b1944be7a4c

Analysis

max time kernel
30s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XS3RCrw6cja4k37R.exe
Size

2.9MB
MD5

f3ba5347ffc2817bdc668d04129696e0
SHA1

723e86d39d02c19baf20c963104f0c7ffc8c3825
SHA256

22649877c97dc3199e05f47cdbb10feb88b890091fde5281296cf014be1f087e
SHA512

df4044b170519f5cd5d8126078cb252bea2b739b6aca524b1cb3eed5db1fd449a83aa6461ba303d95ad65ea043879b4389a942b234d95d502861e7060f8a2d92
SSDEEP

49152:ibv+MKwSlvMN3O8/K9UJctvncMD8x8aDuctVNtDbui5EAq40sL1JzSLeKF:4vHKHhcm/pcMIxL5DbwH4NhJW

Score

10^/10

quasar discovery evasion spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
cjAti90cIswbpuxF3OyR
reconnect_delay
1200

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral7/memory/4312-9-0x0000000000400000-0x00000000006E6000-memory.dmp	disable_win_def
behavioral7/memory/4312-13-0x0000000000400000-0x00000000006E6000-memory.dmp	disable_win_def
behavioral7/files/0x0007000000023ccf-22.dat	disable_win_def
behavioral7/memory/1188-47-0x0000000000250000-0x0000000000258000-memory.dmp	disable_win_def
behavioral7/memory/4312-53-0x0000000000400000-0x00000000006E6000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	t7Q76efrM7xVSp6Q.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	t7Q76efrM7xVSp6Q.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	t7Q76efrM7xVSp6Q.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	t7Q76efrM7xVSp6Q.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral7/memory/4312-9-0x0000000000400000-0x00000000006E6000-memory.dmp	family_quasar
behavioral7/memory/4312-13-0x0000000000400000-0x00000000006E6000-memory.dmp	family_quasar
behavioral7/files/0x0007000000023cd0-33.dat	family_quasar
behavioral7/memory/4312-53-0x0000000000400000-0x00000000006E6000-memory.dmp	family_quasar
behavioral7/memory/4672-52-0x0000000000AC0000-0x0000000000B80000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	XS3RCrw6cja4k37R.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ServiceClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ServiceClient.exe

Executes dropped EXE 6 IoCs

pid	Process
1188	t7Q76efrM7xVSp6Q.exe
4672	ServiceRelay.exe
1948	4c47UZqDTLxzUk4G.exe
3144	ServiceClient.exe
4980	ServiceClient.exe
2440	ServiceClient.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	t7Q76efrM7xVSp6Q.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4152 set thread context of 4312	4152	XS3RCrw6cja4k37R.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1556	3144	WerFault.exe	96
1624	4980	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XS3RCrw6cja4k37R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XS3RCrw6cja4k37R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c47UZqDTLxzUk4G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ServiceClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ServiceClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ServiceClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ServiceRelay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4488	PING.EXE
900	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4488	PING.EXE
900	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4860	schtasks.exe
4696	schtasks.exe
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4152	XS3RCrw6cja4k37R.exe
4152	XS3RCrw6cja4k37R.exe
1948	4c47UZqDTLxzUk4G.exe
1948	4c47UZqDTLxzUk4G.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	XS3RCrw6cja4k37R.exe
Token: SeDebugPrivilege	4672	ServiceRelay.exe
Token: SeDebugPrivilege	3144	ServiceClient.exe
Token: SeDebugPrivilege	4980	ServiceClient.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4312	XS3RCrw6cja4k37R.exe
3144	ServiceClient.exe
4980	ServiceClient.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 1936	4152	XS3RCrw6cja4k37R.exe	85
PID 4152 wrote to memory of 1936	4152	XS3RCrw6cja4k37R.exe	85
PID 4152 wrote to memory of 1936	4152	XS3RCrw6cja4k37R.exe	85
PID 4152 wrote to memory of 4312	4152	XS3RCrw6cja4k37R.exe	86
PID 4152 wrote to memory of 4312	4152	XS3RCrw6cja4k37R.exe	86
PID 4152 wrote to memory of 4312	4152	XS3RCrw6cja4k37R.exe	86
PID 4152 wrote to memory of 4312	4152	XS3RCrw6cja4k37R.exe	86
PID 4152 wrote to memory of 4312	4152	XS3RCrw6cja4k37R.exe	86
PID 4152 wrote to memory of 4312	4152	XS3RCrw6cja4k37R.exe	86
PID 4152 wrote to memory of 4312	4152	XS3RCrw6cja4k37R.exe	86
PID 4312 wrote to memory of 1188	4312	XS3RCrw6cja4k37R.exe	87
PID 4312 wrote to memory of 1188	4312	XS3RCrw6cja4k37R.exe	87
PID 4312 wrote to memory of 4672	4312	XS3RCrw6cja4k37R.exe	88
PID 4312 wrote to memory of 4672	4312	XS3RCrw6cja4k37R.exe	88
PID 4312 wrote to memory of 4672	4312	XS3RCrw6cja4k37R.exe	88
PID 4312 wrote to memory of 1948	4312	XS3RCrw6cja4k37R.exe	89
PID 4312 wrote to memory of 1948	4312	XS3RCrw6cja4k37R.exe	89
PID 4312 wrote to memory of 1948	4312	XS3RCrw6cja4k37R.exe	89
PID 4672 wrote to memory of 1696	4672	ServiceRelay.exe	94
PID 4672 wrote to memory of 1696	4672	ServiceRelay.exe	94
PID 4672 wrote to memory of 1696	4672	ServiceRelay.exe	94
PID 4672 wrote to memory of 3144	4672	ServiceRelay.exe	96
PID 4672 wrote to memory of 3144	4672	ServiceRelay.exe	96
PID 4672 wrote to memory of 3144	4672	ServiceRelay.exe	96
PID 3144 wrote to memory of 4860	3144	ServiceClient.exe	98
PID 3144 wrote to memory of 4860	3144	ServiceClient.exe	98
PID 3144 wrote to memory of 4860	3144	ServiceClient.exe	98
PID 3144 wrote to memory of 4824	3144	ServiceClient.exe	100
PID 3144 wrote to memory of 4824	3144	ServiceClient.exe	100
PID 3144 wrote to memory of 4824	3144	ServiceClient.exe	100
PID 4824 wrote to memory of 4420	4824	cmd.exe	105
PID 4824 wrote to memory of 4420	4824	cmd.exe	105
PID 4824 wrote to memory of 4420	4824	cmd.exe	105
PID 4824 wrote to memory of 4488	4824	cmd.exe	106
PID 4824 wrote to memory of 4488	4824	cmd.exe	106
PID 4824 wrote to memory of 4488	4824	cmd.exe	106
PID 4824 wrote to memory of 4980	4824	cmd.exe	119
PID 4824 wrote to memory of 4980	4824	cmd.exe	119
PID 4824 wrote to memory of 4980	4824	cmd.exe	119
PID 4980 wrote to memory of 4696	4980	ServiceClient.exe	121
PID 4980 wrote to memory of 4696	4980	ServiceClient.exe	121
PID 4980 wrote to memory of 4696	4980	ServiceClient.exe	121
PID 4980 wrote to memory of 2204	4980	ServiceClient.exe	123
PID 4980 wrote to memory of 2204	4980	ServiceClient.exe	123
PID 4980 wrote to memory of 2204	4980	ServiceClient.exe	123
PID 2204 wrote to memory of 1484	2204	cmd.exe	127
PID 2204 wrote to memory of 1484	2204	cmd.exe	127
PID 2204 wrote to memory of 1484	2204	cmd.exe	127
PID 2204 wrote to memory of 900	2204	cmd.exe	128
PID 2204 wrote to memory of 900	2204	cmd.exe	128
PID 2204 wrote to memory of 900	2204	cmd.exe	128
PID 2204 wrote to memory of 2440	2204	cmd.exe	130
PID 2204 wrote to memory of 2440	2204	cmd.exe	130
PID 2204 wrote to memory of 2440	2204	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\XS3RCrw6cja4k37R.exe
"C:\Users\Admin\AppData\Local\Temp\XS3RCrw6cja4k37R.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\XS3RCrw6cja4k37R.exe
  "C:\Users\Admin\AppData\Local\Temp\XS3RCrw6cja4k37R.exe"
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\XS3RCrw6cja4k37R.exe
  "C:\Users\Admin\AppData\Local\Temp\XS3RCrw6cja4k37R.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\t7Q76efrM7xVSp6Q.exe
    "C:\Users\Admin\AppData\Local\Temp\t7Q76efrM7xVSp6Q.exe" 0
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    PID:1188
- - C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe
    "C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe" 0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1696
  - - C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe
      "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ScYQFEWadMc.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4488
      - C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe
        
        "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "ProtecSys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Or9Cmw4xn1j4.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe
        
        "C:\Users\Admin\AppData\Roaming\SystemServiceProvider\ServiceClient.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2192
        7⤵
        Program crash
        
        PID:1624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1192
        5⤵
        Program crash
        
        PID:1556
- - C:\Users\Admin\AppData\Local\Temp\4c47UZqDTLxzUk4G.exe
    "C:\Users\Admin\AppData\Local\Temp\4c47UZqDTLxzUk4G.exe" 0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3144 -ip 3144
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4980 -ip 4980
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4c47UZqDTLxzUk4G.exe

Filesize
295KB

MD5
08481f11e5fe4894a359305f22db416f

SHA1
7ea518a53bf02495781b163a1289ce83eaa46127

SHA256
67de8f33db4ace58a818fc5aed65d860417bf4dd14a1bd5fd7d3a395a8ff7aa3

SHA512
74058bd670208222b98443fae3e3e66e1dd8e57a7fe9cdb5d9f5aa134ed1b5945333d820573c12e965910e9c3ca245abfbdd84df1d371d797c59e70ae5630eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ScYQFEWadMc.bat

Filesize
229B

MD5
83ea4e01697bff4e238fb183d2bf277f

SHA1
355a00220433692b63339ef893904f189905c3d3

SHA256
d5839077ab4da9edaaf23c0d9b4415d3c743961c8c11a50b06bbf8aa67a3dc4c

SHA512
a42ec1817614a640342dbfa58ced8db9a49e209a5c7e0f4667feb82481689df38d373c3a37e1d9204d75267b08c77675629af8a0b739778df259ac7a46878d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Or9Cmw4xn1j4.bat

Filesize
229B

MD5
f5063bd529e26e5c2a9c22d115bf6c2c

SHA1
83dba6a2d93e97b815644decf9d969f960845055

SHA256
8ba4ca436efe1b42e560c28f29e0e67b5a39838c05a8f3b34b2a99edcd864c81

SHA512
0c835fe3652ab8943ab1db67be38b1671f41ac816822f5e96f46ec863f86e66816ee01429021e38264091d5391c60707ac39ec5979574de64325752d5f5a7c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ServiceRelay.exe

Filesize
741KB

MD5
ecd249a261ceecdb80e0b4bf001ba8ad

SHA1
2e271018594cac23b87ea0b60b6c6763dbbb0d23

SHA256
bc681f240cda963c599b492b5876f47f624dba3867ea2954d94b93a6c258701f

SHA512
af4c6bc71b714a7a030ab6bcd8ef2f4a0444242c969e514ba15bc6a8184642b89ae08406dbb952d389ec2641100d8e18a2d0e3f74d62dff81171898a17ecc6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\t7Q76efrM7xVSp6Q.exe

Filesize
9KB

MD5
2a4441134fc12a6d704d1f4b2ab58876

SHA1
0367169489fa0854d10f6cc0e57392d640d92b36

SHA256
42997d05907d02764463b0fbfbfc86a03df8ab6399836cd6511129802b9a2492

SHA512
d60bbed90aa1e2547371f2342ed083e068a1933a69df8a7b924e1caa3d7b1e49b33c0bba0c3f261271005a0a8c487679e89f8d2fa0d6169fc7391e4a358000d8

Download Submit
C:\Users\Admin\AppData\Roaming\PressTrak\01-01-2025

Filesize
224B

MD5
1c567746f184f7c5ab675d6e695172cb

SHA1
6aae5cd5d268b0742e289e1b3ce1d1d88653cf35

SHA256
ba9f6a175cd118d3c893ef00b79ee032e000b48bb07352cfb29df1c248986ecf

SHA512
4200ba754ff17bedf3b50037bf96bdf8bce927cebb995ec156b5d3872a59e456a4a0a5949d55e5b0b9377b3d0cc66b892bf3d8a81d51c0db2a5c21e09c8e4676

Download Submit
memory/1188-47-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/1188-43-0x00007FF975A73000-0x00007FF975A75000-memory.dmp

Filesize
8KB

Download
memory/4152-6-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4152-3-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/4152-1-0x0000000000BF0000-0x0000000000EE0000-memory.dmp

Filesize
2.9MB

Download
memory/4152-14-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4152-8-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/4152-7-0x0000000006400000-0x00000000066EE000-memory.dmp

Filesize
2.9MB

Download
memory/4152-0-0x0000000074C7E000-0x0000000074C7F000-memory.dmp

Filesize
4KB

Download
memory/4152-5-0x0000000005B50000-0x0000000005BC6000-memory.dmp

Filesize
472KB

Download
memory/4152-4-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/4152-2-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/4312-53-0x0000000000400000-0x00000000006E6000-memory.dmp

Filesize
2.9MB

Download
memory/4312-9-0x0000000000400000-0x00000000006E6000-memory.dmp

Filesize
2.9MB

Download
memory/4312-13-0x0000000000400000-0x00000000006E6000-memory.dmp

Filesize
2.9MB

Download
memory/4672-55-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4672-56-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/4672-57-0x00000000066A0000-0x00000000066DC000-memory.dmp

Filesize
240KB

Download
memory/4672-52-0x0000000000AC0000-0x0000000000B80000-memory.dmp

Filesize
768KB

Download