quasar | 8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8

Analysis

max time kernel
92s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe
Size

1.3MB
MD5

ad1762e0e5eef2a9e8c2e4b2e16642c0
SHA1

35db306e48aa98e9186ce3205375bd9a09994636
SHA256

8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8
SHA512

e98e3b50b2c3ed954bb180202690c3c6faea329ae6dd55b1612f5e02afb11fcc745c58307b25116de0070696efec1bc29fa3c8e9c574cbf57c0d74b09c7f3da5
SSDEEP

24576:SXgzXWjsCGT27mq5qUSXvpVWK5OjKxAVMDJdNnb4INYKk:5Xos3qQUivHW8OjWA+DJdNnccYT

Score

10^/10

quasar plumora discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Plumora

51.15.17.193:222

Mutex

rMBE19V1piv5vHLGW3

Attributes

encryption_key
aphmBq1R7UlQBWY2O9wd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
word
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4616-68-0x0000000000750000-0x000000000079E000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1952 created 3432	1952	Eur.com	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpsGuardianX.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpsGuardianX.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1952	Eur.com
4616	RegAsm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4256	tasklist.exe
4048	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BoatHeritage	8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe
File opened for modification	C:\Windows\RestoreDocumented	8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe
File opened for modification	C:\Windows\ValidationThorough	8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe
File opened for modification	C:\Windows\RegistrarWrapped	8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eur.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com
1952	Eur.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4256	tasklist.exe
Token: SeDebugPrivilege	4048	tasklist.exe
Token: SeDebugPrivilege	4616	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1952	Eur.com
1952	Eur.com
1952	Eur.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1952	Eur.com
1952	Eur.com
1952	Eur.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4616	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 1948	3868	8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe	83
PID 3868 wrote to memory of 1948	3868	8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe	83
PID 3868 wrote to memory of 1948	3868	8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe	83
PID 1948 wrote to memory of 4256	1948	cmd.exe	85
PID 1948 wrote to memory of 4256	1948	cmd.exe	85
PID 1948 wrote to memory of 4256	1948	cmd.exe	85
PID 1948 wrote to memory of 4456	1948	cmd.exe	86
PID 1948 wrote to memory of 4456	1948	cmd.exe	86
PID 1948 wrote to memory of 4456	1948	cmd.exe	86
PID 1948 wrote to memory of 4048	1948	cmd.exe	89
PID 1948 wrote to memory of 4048	1948	cmd.exe	89
PID 1948 wrote to memory of 4048	1948	cmd.exe	89
PID 1948 wrote to memory of 4488	1948	cmd.exe	90
PID 1948 wrote to memory of 4488	1948	cmd.exe	90
PID 1948 wrote to memory of 4488	1948	cmd.exe	90
PID 1948 wrote to memory of 4104	1948	cmd.exe	91
PID 1948 wrote to memory of 4104	1948	cmd.exe	91
PID 1948 wrote to memory of 4104	1948	cmd.exe	91
PID 1948 wrote to memory of 2036	1948	cmd.exe	92
PID 1948 wrote to memory of 2036	1948	cmd.exe	92
PID 1948 wrote to memory of 2036	1948	cmd.exe	92
PID 1948 wrote to memory of 3332	1948	cmd.exe	93
PID 1948 wrote to memory of 3332	1948	cmd.exe	93
PID 1948 wrote to memory of 3332	1948	cmd.exe	93
PID 1948 wrote to memory of 4512	1948	cmd.exe	94
PID 1948 wrote to memory of 4512	1948	cmd.exe	94
PID 1948 wrote to memory of 4512	1948	cmd.exe	94
PID 1948 wrote to memory of 3744	1948	cmd.exe	95
PID 1948 wrote to memory of 3744	1948	cmd.exe	95
PID 1948 wrote to memory of 3744	1948	cmd.exe	95
PID 1948 wrote to memory of 1952	1948	cmd.exe	96
PID 1948 wrote to memory of 1952	1948	cmd.exe	96
PID 1948 wrote to memory of 1952	1948	cmd.exe	96
PID 1948 wrote to memory of 3656	1948	cmd.exe	97
PID 1948 wrote to memory of 3656	1948	cmd.exe	97
PID 1948 wrote to memory of 3656	1948	cmd.exe	97
PID 1952 wrote to memory of 2560	1952	Eur.com	98
PID 1952 wrote to memory of 2560	1952	Eur.com	98
PID 1952 wrote to memory of 2560	1952	Eur.com	98
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111
PID 1952 wrote to memory of 4616	1952	Eur.com	111

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d31eb458dbdd8c2a077e0f460af302e23d3101ef2b3244122bbd9f27a9cfdd8N.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Readily Readily.cmd & Readily.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4256
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4456
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4048
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 373206
      4⤵
      System Location Discovery: System Language Discovery
      PID:4104
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Perspective
      4⤵
      System Location Discovery: System Language Discovery
      PID:2036
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "Net" Miniature
      4⤵
      System Location Discovery: System Language Discovery
      PID:3332
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 373206\Eur.com + Lb + Minerals + Dare + Recognized + Producing + Express + Louisiana + Wired 373206\Eur.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:4512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Limitations + ..\Budapest + ..\Talking + ..\Gamespot + ..\Productive + ..\Gospel w
      4⤵
      System Location Discovery: System Language Discovery
      PID:3744
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\373206\Eur.com
      Eur.com w
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\373206\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\373206\RegAsm.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4616
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3656
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpsGuardianX.url" & echo URL="C:\Users\Admin\AppData\Local\GuardianOps Technologies Inc\OpsGuardianX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpsGuardianX.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\373206\Eur.com

Filesize
1KB

MD5
ff76443c2aeda3ca8d85988d9a009518

SHA1
011c62b7ca27444a466c5d4b4fd69089ee06b2d2

SHA256
7c37bc10e94f3d183c07ee8dda2e8a3b9f76483eeb852f8b1f6de598777f0469

SHA512
d5590772af6ad132b65e226493ee41e0903846b8f328d7cfb7e403bdc376b724f82e5e2cf7dd86f51e3881f72bf9d3ac3da9ba9ea1d97152b2bb0cc2d2dec95a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\373206\Eur.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\373206\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\373206\w

Filesize
423KB

MD5
5d00fe034f1d20724db9be1d17aa03c1

SHA1
ee9f4aa4cff2513c6ee4fc3e11fce595e1f9d454

SHA256
3276c42344cfd4415777bda051269e56aa7db166c2cb6c5f47a851abf7588ee8

SHA512
bb272b50686f61fe067c62650ecd81364051be7b4e29d727405e51e69eec183be446cffdc28fff23449d5884a3681e99a149b731dcfbedff4c049192e75f5543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Budapest

Filesize
66KB

MD5
ced539b5d159effcbd06594e02518d06

SHA1
7c23f781a6c40fd9cfb3bea502608fdb4e3f53fa

SHA256
ae2bb8c64e9d46952249939cc3c5e5ad6611ab50a0640127bd3c297516332079

SHA512
3f942945d6c797e4a39ae8f90ffc9630031dd52e7cbee64a03419a2f3763a43adad14aa0118ccd0175c94c0e00daf4e784899bb1c98061491f5691bc846a17d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dare

Filesize
143KB

MD5
c45e72cc700d42dc56f6ab070d70774e

SHA1
42dc09f7e23e76a89413d85c3e317c1182c7b423

SHA256
2802a93803fafff0fd52494db12818412009df41d9673d53093423af2b4fa04c

SHA512
5dcc835ab2438eda0babab126dc562947cb11e1d789bf4cdabec47e9df6cf0d4e6c81a2d5a4cc48c2bf333e7230a925e36038166e9c1db09af39a3e49871b12d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Express

Filesize
83KB

MD5
23e0b81360919f96f0b79560e6839d4b

SHA1
b9e911c7fb6a7645958c1b99a103f34cb407f560

SHA256
80ae836e47b03da345b5b7f17da6be1bfaa712f0a21456fc8eca67036a284741

SHA512
8c73bb76303fcf8715baeb0751235dd93cdd050e8f48381ca09974a8871e91a544ebba9fabbe719a3aa5980b66e943f094614fea67fcf4fe263d1ecb3bdab210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Gamespot

Filesize
75KB

MD5
55a8351867e40b70f0e93261c9c6f9c0

SHA1
a4182d4a59bec33c99757a3a08202adb1de40490

SHA256
c29aadc75daa6f34d51a735b9d64e995e70a2c8a5538e83126d7e00284f5a472

SHA512
99831e184dac9595969b1c9d3bfdb8325cee82b56bfad60511bd06a58cab8029c43dbd20a78cc3fbb0c65d2a936ee2c83f75a3f4d8cfac680445ff6730603030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Gospel

Filesize
59KB

MD5
16ef70a9dc9856f4ba17ef26535e99d3

SHA1
a1db22ceac2a02124c700221024ae832db31c0b8

SHA256
d0ce685b1df0a78edd487375ce625f61144e931e207ac94f747ef1c800984917

SHA512
d6ffe3c4abe8def4284f972484e735bfd96a983da5143c67eeb1571f578f6e8f982de285a88f7c70b83a048dbeb437e151e41c32e6c398204fdf8d09c4066b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lb

Filesize
141KB

MD5
a3b4597c5c55b6e1385349daa4a36599

SHA1
df248e9ef380fee917214e2d042a8088092833f0

SHA256
89ec3ac2006b5a8213c35f055da8e3fe74325dc40724c8bf760cc3431be98776

SHA512
a794b897d0f08600207277753a5886ef2418e23e7ceae4392f99a652a6fb64ee3f5d35750d230878153856c46cfd1d6f76f6ba1f3486c5dd932e3257f2ff05ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Limitations

Filesize
98KB

MD5
71bc102ab0497efd0c8831c29e71f60d

SHA1
c8061fc9320565ad335542c63ace6a9d06f198ea

SHA256
2c65d867a0b6982960f8107c74ceea8a1c110388089a1a1bd70d767a5f44777f

SHA512
7870dcf9259c169fc8ea608abf065ff165e25ff18ed23a61f9122672d76cc1b74fe6cb0cfeec11a7ea304aa6d5049feeabd2c80c9f4e6cfcb283c352dc836634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Louisiana

Filesize
128KB

MD5
56c1ed5fa8c683187c8844c5cc2dcee1

SHA1
aed3608dd3a369e2b9943b7b01b13dd711e4ddf7

SHA256
0c2f2ae052218c8f9463e53bd1295c6020b4adecfdb932d0de5351fe4fdaa1b6

SHA512
f4986569e0574bd2a5ef0a84bd36af747fd240971a5840116e1dbf0a6aadd50a6da797e7ab6ebb8ca2364125d6847e04c871c85e17a3db2c609618f31ddff5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Minerals

Filesize
91KB

MD5
e1ef25ebac937af7ba012587be46efea

SHA1
f95b516be9fce0497f9728f2c79af5cffae5eebe

SHA256
b88fd2432f8ff2cc72a46299f68ac18219a65bd694790d5d5d75ee47e9ba8191

SHA512
2d931cf80b5393246d56e5a0031b96503a49299bf35ca1373e58f6dfd1325a2c99d5edfcc100ecc3d4a5bd79f652d9638675cbfdb113e53fb7dcbc7bf6027cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Miniature

Filesize
1KB

MD5
17c6c15706523f4e779d6c1fc48486a0

SHA1
96a91953b0baf77663ef61f3dcac2b0d6de2194b

SHA256
15fabe555e510a5206ae425ec79565cfa6ce05e746ff66c1b95e526e308916a1

SHA512
4eab7421605a4a189080b04d4c705425d1c657d341afc40bde16f3aa0c01db773202e1290e73f6231de2b7a78db1287071ccb4f60bbcb830873eb0a2b4d059b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Perspective

Filesize
476KB

MD5
390e6633ae0d3077dc258e46ec3eff33

SHA1
ec0b8f4fc02174449762f11801fece2367a938b4

SHA256
0da62115eccae4e8b5572d16ad4e87a7bddc29769ddeaa939a22cebe0a6c8576

SHA512
b6b5f184553e3cefe22b0368d53ac82a6c78dda33d800a832fcf9b25e973e52394b4b14deae84a6240cf1bd615f4bed1b699c84531e8dac95c7cf281cb21fd39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Producing

Filesize
83KB

MD5
cba453b0580d620f305af0e52f84e1eb

SHA1
70b4ee3471f76c6dc9ff61724cd6483cedeaf221

SHA256
0845fa6038661f1f2fc27e646e44aa95e1aa2abe000f6874df4f5cbe0b319135

SHA512
1e717117885eb3b2814692e3ad90754ef2c2cef1b97c029e739011bb62498a85dff7fdd1a369b1c975f8990284c4adc7e1e2127147250c5000093d437997d8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Productive

Filesize
68KB

MD5
a9fd716a0445c9ab3cb7f1690429b47f

SHA1
4b04cf3c9de24ddb43285af0e6a620d1dc33ede0

SHA256
c715eb54dcb377bf7b35af22ac03247767f26a9ce5f9f0635574f5430e11080d

SHA512
74e1bf3704dfef24fa2d53ab89650cbf02603ba91d14dbac727c0bde7381915a285150f072cbff735edb83d2607345b9418746a623a252c7dff0ab537a3dab37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Readily

Filesize
20KB

MD5
b12936c12904c996e8c11786bea0f90c

SHA1
4c89abd80b4f7a53539ca5713dda90629b8aa494

SHA256
25081491a9b8c484e21f317e20db51fe99be4b812b73679688db4559e2e2150c

SHA512
da1935ade179346a18f890edc641c6efd1a7ae2e2cd64693a0b3723ea4edd3a937c113f0bf65e28cb10762a502b28fea1914e8b874bbc9b5e3752c8768309a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Recognized

Filesize
122KB

MD5
969ac2e50429e3ae3859539bddec755c

SHA1
5da76d9c785b1c8a91f2fa2246dc1e8e25ec6365

SHA256
7aacfd4cd57537a68e1e093e58d1096214ca85d6d10b0b898272802034957c72

SHA512
4c72147f1cc245f6ae8ec8c66cbe0009460d9078c43116826f61f13d5c1f76b803d246c65da57c256fe654fc750fa9b5c731994d3219f2d7657793d95ba94ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Talking

Filesize
57KB

MD5
9f0785cd33db7c468459a1cc0705fbf9

SHA1
93a7e4ab34aae1f9c61eea568f916b1776918ce4

SHA256
c774647a6c92e69a2c95ad18764b06c8a18439822c41bf334eff21c74d930b90

SHA512
4d7237da2d2aaa7d650a4d879da37c31b321cf33d1d70fd550c52816f81e838a9be2f21618b414b737c06fbe145193169c2a87253adb66290e729ead452dc966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wired

Filesize
132KB

MD5
43f944bd616681cb6887bd821ccb88fa

SHA1
e675020a43a94246da28010a195113d4461bb5b3

SHA256
b3df7544a245eb716582047dbe1b7652b9bc611dcb18f443d74cbb811d92d564

SHA512
1d7718d9cc4925f3cd84406ce9b1ed7fa95835406099d407533d83cc7f0f01febb2d6451f9724db24569f8fb73fa07313c79dcf0081f9f939393edc760d45f86

Download Submit
memory/4616-68-0x0000000000750000-0x000000000079E000-memory.dmp

Filesize
312KB

Download
memory/4616-71-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/4616-72-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/4616-73-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/4616-74-0x0000000005510000-0x0000000005522000-memory.dmp

Filesize
72KB

Download
memory/4616-75-0x0000000006210000-0x000000000624C000-memory.dmp

Filesize
240KB

Download
memory/4616-77-0x0000000006580000-0x000000000658A000-memory.dmp

Filesize
40KB

Download