quasar | c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe
Size

3.5MB
MD5

0f8d3f0739a8356c4703d9afcf3c9e9e
SHA1

a188aab63cc7f889b17be4062c8f3ad9733f877e
SHA256

c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a
SHA512

42b007929164546ebf4278a4d9d1945be70be19181c7cb1be7e1c5ec3d7f43ff942a6d59e570612543bd5a8d87e763375d61c70548c9f2fb7a87da607b0987e1
SSDEEP

98304:mIELk8TSeoFjXY04O4ofnyzCiygp6R3op7ScQoijW9vICaOJF:J25CFc4jfny21+pfQoHP7

Score

10^/10

quasar billi discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

BILLI

147.45.44.68:4782

Mutex

677eac75-4a16-45d2-8af0-7cc6e5e6d262

Attributes

encryption_key
04207FE1D5AAE79F92E5E13CC9126DCA530C7527
install_name
win32_svchost1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
win32_svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1672-83-0x000000001C260000-0x000000001C584000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp

Executes dropped EXE 2 IoCs

pid	Process
4360	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
3848	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp

Loads dropped DLL 8 IoCs

pid	Process
4360	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
4360	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
3848	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
3848	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
1620	regsvr32.exe
1672	regsvr32.exe
2196	regsvr32.EXE
972	regsvr32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2312	powershell.exe
4484	powershell.exe
2312	powershell.exe
4368	powershell.exe
4876	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3848	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
3848	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
1672	regsvr32.exe
1672	regsvr32.exe
4484	powershell.exe
4484	powershell.exe
2312	powershell.exe
2312	powershell.exe
1672	regsvr32.exe
1672	regsvr32.exe
1672	regsvr32.exe
4368	powershell.exe
4368	powershell.exe
972	regsvr32.EXE
972	regsvr32.EXE
4876	powershell.exe
4876	powershell.exe
972	regsvr32.EXE
972	regsvr32.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeIncreaseQuotaPrivilege	4484	powershell.exe
Token: SeSecurityPrivilege	4484	powershell.exe
Token: SeTakeOwnershipPrivilege	4484	powershell.exe
Token: SeLoadDriverPrivilege	4484	powershell.exe
Token: SeSystemProfilePrivilege	4484	powershell.exe
Token: SeSystemtimePrivilege	4484	powershell.exe
Token: SeProfSingleProcessPrivilege	4484	powershell.exe
Token: SeIncBasePriorityPrivilege	4484	powershell.exe
Token: SeCreatePagefilePrivilege	4484	powershell.exe
Token: SeBackupPrivilege	4484	powershell.exe
Token: SeRestorePrivilege	4484	powershell.exe
Token: SeShutdownPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeSystemEnvironmentPrivilege	4484	powershell.exe
Token: SeRemoteShutdownPrivilege	4484	powershell.exe
Token: SeUndockPrivilege	4484	powershell.exe
Token: SeManageVolumePrivilege	4484	powershell.exe
Token: 33	4484	powershell.exe
Token: 34	4484	powershell.exe
Token: 35	4484	powershell.exe
Token: 36	4484	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeIncreaseQuotaPrivilege	2312	powershell.exe
Token: SeSecurityPrivilege	2312	powershell.exe
Token: SeTakeOwnershipPrivilege	2312	powershell.exe
Token: SeLoadDriverPrivilege	2312	powershell.exe
Token: SeSystemProfilePrivilege	2312	powershell.exe
Token: SeSystemtimePrivilege	2312	powershell.exe
Token: SeProfSingleProcessPrivilege	2312	powershell.exe
Token: SeIncBasePriorityPrivilege	2312	powershell.exe
Token: SeCreatePagefilePrivilege	2312	powershell.exe
Token: SeBackupPrivilege	2312	powershell.exe
Token: SeRestorePrivilege	2312	powershell.exe
Token: SeShutdownPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeSystemEnvironmentPrivilege	2312	powershell.exe
Token: SeRemoteShutdownPrivilege	2312	powershell.exe
Token: SeUndockPrivilege	2312	powershell.exe
Token: SeManageVolumePrivilege	2312	powershell.exe
Token: 33	2312	powershell.exe
Token: 34	2312	powershell.exe
Token: 35	2312	powershell.exe
Token: 36	2312	powershell.exe
Token: SeIncreaseQuotaPrivilege	2312	powershell.exe
Token: SeSecurityPrivilege	2312	powershell.exe
Token: SeTakeOwnershipPrivilege	2312	powershell.exe
Token: SeLoadDriverPrivilege	2312	powershell.exe
Token: SeSystemProfilePrivilege	2312	powershell.exe
Token: SeSystemtimePrivilege	2312	powershell.exe
Token: SeProfSingleProcessPrivilege	2312	powershell.exe
Token: SeIncBasePriorityPrivilege	2312	powershell.exe
Token: SeCreatePagefilePrivilege	2312	powershell.exe
Token: SeBackupPrivilege	2312	powershell.exe
Token: SeRestorePrivilege	2312	powershell.exe
Token: SeShutdownPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeSystemEnvironmentPrivilege	2312	powershell.exe
Token: SeRemoteShutdownPrivilege	2312	powershell.exe
Token: SeUndockPrivilege	2312	powershell.exe
Token: SeManageVolumePrivilege	2312	powershell.exe
Token: 33	2312	powershell.exe
Token: 34	2312	powershell.exe
Token: 35	2312	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3848	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 4360	3320	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe	84
PID 3320 wrote to memory of 4360	3320	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe	84
PID 3320 wrote to memory of 4360	3320	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe	84
PID 4360 wrote to memory of 4728	4360	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp	87
PID 4360 wrote to memory of 4728	4360	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp	87
PID 4360 wrote to memory of 4728	4360	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp	87
PID 4728 wrote to memory of 3848	4728	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe	88
PID 4728 wrote to memory of 3848	4728	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe	88
PID 4728 wrote to memory of 3848	4728	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe	88
PID 3848 wrote to memory of 1620	3848	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp	89
PID 3848 wrote to memory of 1620	3848	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp	89
PID 3848 wrote to memory of 1620	3848	c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp	89
PID 1620 wrote to memory of 1672	1620	regsvr32.exe	90
PID 1620 wrote to memory of 1672	1620	regsvr32.exe	90
PID 1672 wrote to memory of 4484	1672	regsvr32.exe	91
PID 1672 wrote to memory of 4484	1672	regsvr32.exe	91
PID 1672 wrote to memory of 2312	1672	regsvr32.exe	94
PID 1672 wrote to memory of 2312	1672	regsvr32.exe	94
PID 972 wrote to memory of 4876	972	regsvr32.EXE	102
PID 972 wrote to memory of 4876	972	regsvr32.EXE	102

C:\Users\Admin\AppData\Local\Temp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe
"C:\Users\Admin\AppData\Local\Temp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\is-1ACSU.tmp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1ACSU.tmp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp" /SL5="$502B4,3231975,161792,C:\Users\Admin\AppData\Local\Temp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe
    "C:\Users\Admin\AppData\Local\Temp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\is-5BM0M.tmp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5BM0M.tmp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp" /SL5="$70116,3231975,161792,C:\Users\Admin\AppData\Local\Temp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3848
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\secur32_2.drv"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\secur32_2.drv"
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\secur32_2.drv' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\secur32_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{2F774361-58B8-46A7-8E86-59D7A3D7178A}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\secur32_2.drv
1⤵
- Loads dropped DLL
PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\secur32_2.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4368

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\secur32_2.drv
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\secur32_2.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ac3c9ba89b8c2ef19c601ecebb82157

SHA1
a239a4b11438c00e5ff89ebd4a804ede6a01935b

SHA256
3c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e

SHA512
b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d876732bbd3f6c9cf9e2be236480e367

SHA1
8f2dd87515f7bcf62cc89a8a27cc4fa7817e0823

SHA256
a4cea038e351c82952d795d84b29fc3e92680560d881bb86fe9dfbc4658dd9d0

SHA512
375217306f3de9bf02548db09efba9065b84314a1ddecba022613f9502a3302c3e7a800561253c8a2b6bfade0f5f8dd5c5a1ad4e58e45c613965c4564bfb14ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12c844ed8342738dacc6eb0072c43257

SHA1
b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7

SHA256
2afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519

SHA512
e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wplck211.z0m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ACSU.tmp\c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a.tmp

Filesize
1.1MB

MD5
bcc236a3921e1388596a42b05686ff5e

SHA1
43bffbbac6a1bf5f1fa21e971e06e6f1d0af9263

SHA256
43a656bcd060e8a36502ca2deb878d56a99078f13d3e57dcd73a87128588c9e9

SHA512
e3baaf1a8f4eb0e1ab57a1fb35bc7ded476606b65fafb09835d34705d8c661819c3cfa0ecc43c5a0d0085fd570df581438de27944e054e12c09a6933bbf5ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-93M5Q.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KAUSA.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Roaming\secur32_2.drv

Filesize
6.1MB

MD5
316d97012c2d8d7c3f9534db4f7f26ad

SHA1
aac9f988d07b470f8c365d2a1db3c0b89023b1be

SHA256
ed16d8f5f7de597c33ccc1b89e24d18664997cebca8babf24228a0386f723a6d

SHA512
e7d7c2f03a0af4cc8023ec96a06de8b52de931d478f35747093f8e674a26de84cf0747b9fca255f288eeb4c505da2a2dbc01bbd9c4f2d68af9ec5659df23e7f8

Download Submit
memory/972-123-0x00007FF83FE30000-0x00007FF84043A000-memory.dmp

Filesize
6.0MB

Download
memory/1672-83-0x000000001C260000-0x000000001C584000-memory.dmp

Filesize
3.1MB

Download
memory/1672-84-0x000000001C070000-0x000000001C0C0000-memory.dmp

Filesize
320KB

Download
memory/1672-85-0x000000001C180000-0x000000001C232000-memory.dmp

Filesize
712KB

Download
memory/1672-86-0x00007FF83FE30000-0x00007FF84043A000-memory.dmp

Filesize
6.0MB

Download
memory/2196-104-0x00007FF83FE30000-0x00007FF84043A000-memory.dmp

Filesize
6.0MB

Download
memory/3320-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3320-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3320-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/3848-31-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3848-51-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4360-26-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4360-7-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4484-57-0x00000162E8310000-0x00000162E8332000-memory.dmp

Filesize
136KB

Download
memory/4728-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4728-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4728-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download