quasar | f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe
Size

3.2MB
MD5

f31a91bff6bb5805f4f7b95c0a27cb2a
SHA1

8eeef2262c4288c035d7be99f27ce478dae008ce
SHA256

f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882
SHA512

07f750faf48ef505de12a07acf64136468702ba07d7b5ec9ecbc3d2f6e5c04c3c7ce0ff4b178c5f2f3a1df2b9b0ea8f54687f90137fa58603ddd0896733eaacb
SSDEEP

98304:p1AhvWM65Mf9cZR4FklYJr41ADevpgaSoJxqGT4q:WvWM6iGKkCJ0GevCaXsi4q

Score

10^/10

quasar svhost32 discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svhost32

185.147.125.77:4782

Mutex

9500f2e5-aa22-4d12-a2ea-09ddc5050666

Attributes

encryption_key
BD29CA798222621C677ECD67804E6D9D0A95CFCB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4448-83-0x000000001C200000-0x000000001C524000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp

Executes dropped EXE 2 IoCs

pid	Process
4264	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
3020	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp

Loads dropped DLL 8 IoCs

pid	Process
4264	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
4264	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
3020	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
3020	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
4760	regsvr32.exe
4448	regsvr32.exe
3268	regsvr32.EXE
3320	regsvr32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
4288	powershell.exe
2740	powershell.exe
4676	powershell.exe
3704	powershell.exe
2740	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3020	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
3020	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
4448	regsvr32.exe
4448	regsvr32.exe
4288	powershell.exe
4288	powershell.exe
2740	powershell.exe
2740	powershell.exe
4448	regsvr32.exe
4448	regsvr32.exe
3268	regsvr32.EXE
3268	regsvr32.EXE
4676	powershell.exe
4676	powershell.exe
3268	regsvr32.EXE
3268	regsvr32.EXE
3320	regsvr32.EXE
3320	regsvr32.EXE
3704	powershell.exe
3704	powershell.exe
3320	regsvr32.EXE
3320	regsvr32.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeIncreaseQuotaPrivilege	4288	powershell.exe
Token: SeSecurityPrivilege	4288	powershell.exe
Token: SeTakeOwnershipPrivilege	4288	powershell.exe
Token: SeLoadDriverPrivilege	4288	powershell.exe
Token: SeSystemProfilePrivilege	4288	powershell.exe
Token: SeSystemtimePrivilege	4288	powershell.exe
Token: SeProfSingleProcessPrivilege	4288	powershell.exe
Token: SeIncBasePriorityPrivilege	4288	powershell.exe
Token: SeCreatePagefilePrivilege	4288	powershell.exe
Token: SeBackupPrivilege	4288	powershell.exe
Token: SeRestorePrivilege	4288	powershell.exe
Token: SeShutdownPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeSystemEnvironmentPrivilege	4288	powershell.exe
Token: SeRemoteShutdownPrivilege	4288	powershell.exe
Token: SeUndockPrivilege	4288	powershell.exe
Token: SeManageVolumePrivilege	4288	powershell.exe
Token: 33	4288	powershell.exe
Token: 34	4288	powershell.exe
Token: 35	4288	powershell.exe
Token: 36	4288	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeIncreaseQuotaPrivilege	2740	powershell.exe
Token: SeSecurityPrivilege	2740	powershell.exe
Token: SeTakeOwnershipPrivilege	2740	powershell.exe
Token: SeLoadDriverPrivilege	2740	powershell.exe
Token: SeSystemProfilePrivilege	2740	powershell.exe
Token: SeSystemtimePrivilege	2740	powershell.exe
Token: SeProfSingleProcessPrivilege	2740	powershell.exe
Token: SeIncBasePriorityPrivilege	2740	powershell.exe
Token: SeCreatePagefilePrivilege	2740	powershell.exe
Token: SeBackupPrivilege	2740	powershell.exe
Token: SeRestorePrivilege	2740	powershell.exe
Token: SeShutdownPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeSystemEnvironmentPrivilege	2740	powershell.exe
Token: SeRemoteShutdownPrivilege	2740	powershell.exe
Token: SeUndockPrivilege	2740	powershell.exe
Token: SeManageVolumePrivilege	2740	powershell.exe
Token: 33	2740	powershell.exe
Token: 34	2740	powershell.exe
Token: 35	2740	powershell.exe
Token: 36	2740	powershell.exe
Token: SeIncreaseQuotaPrivilege	2740	powershell.exe
Token: SeSecurityPrivilege	2740	powershell.exe
Token: SeTakeOwnershipPrivilege	2740	powershell.exe
Token: SeLoadDriverPrivilege	2740	powershell.exe
Token: SeSystemProfilePrivilege	2740	powershell.exe
Token: SeSystemtimePrivilege	2740	powershell.exe
Token: SeProfSingleProcessPrivilege	2740	powershell.exe
Token: SeIncBasePriorityPrivilege	2740	powershell.exe
Token: SeCreatePagefilePrivilege	2740	powershell.exe
Token: SeBackupPrivilege	2740	powershell.exe
Token: SeRestorePrivilege	2740	powershell.exe
Token: SeShutdownPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeSystemEnvironmentPrivilege	2740	powershell.exe
Token: SeRemoteShutdownPrivilege	2740	powershell.exe
Token: SeUndockPrivilege	2740	powershell.exe
Token: SeManageVolumePrivilege	2740	powershell.exe
Token: 33	2740	powershell.exe
Token: 34	2740	powershell.exe
Token: 35	2740	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3020	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4448	regsvr32.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 4264	1916	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe	82
PID 1916 wrote to memory of 4264	1916	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe	82
PID 1916 wrote to memory of 4264	1916	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe	82
PID 4264 wrote to memory of 2724	4264	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp	83
PID 4264 wrote to memory of 2724	4264	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp	83
PID 4264 wrote to memory of 2724	4264	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp	83
PID 2724 wrote to memory of 3020	2724	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe	84
PID 2724 wrote to memory of 3020	2724	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe	84
PID 2724 wrote to memory of 3020	2724	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe	84
PID 3020 wrote to memory of 4760	3020	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp	85
PID 3020 wrote to memory of 4760	3020	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp	85
PID 3020 wrote to memory of 4760	3020	f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp	85
PID 4760 wrote to memory of 4448	4760	regsvr32.exe	86
PID 4760 wrote to memory of 4448	4760	regsvr32.exe	86
PID 4448 wrote to memory of 4288	4448	regsvr32.exe	87
PID 4448 wrote to memory of 4288	4448	regsvr32.exe	87
PID 4448 wrote to memory of 2740	4448	regsvr32.exe	90
PID 4448 wrote to memory of 2740	4448	regsvr32.exe	90
PID 3268 wrote to memory of 4676	3268	regsvr32.EXE	101
PID 3268 wrote to memory of 4676	3268	regsvr32.EXE	101
PID 3320 wrote to memory of 3704	3320	regsvr32.EXE	104
PID 3320 wrote to memory of 3704	3320	regsvr32.EXE	104

C:\Users\Admin\AppData\Local\Temp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe
"C:\Users\Admin\AppData\Local\Temp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\is-RM034.tmp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RM034.tmp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp" /SL5="$100062,2958433,245248,C:\Users\Admin\AppData\Local\Temp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe
    "C:\Users\Admin\AppData\Local\Temp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\is-G3HVK.tmp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-G3HVK.tmp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp" /SL5="$5020C,2958433,245248,C:\Users\Admin\AppData\Local\Temp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\7ntdll.drv"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\7ntdll.drv"
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\7ntdll.drv' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\7ntdll.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{25166E3C-D0CA-4F9A-F816-94A18FCDCEC0}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\7ntdll.drv
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\7ntdll.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4676

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\7ntdll.drv
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\7ntdll.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a0c98d318ed5c510c1c9be11bfdaed7

SHA1
6c1eaf7ee000d82a2aaa0e9133dcd93d5d47afb6

SHA256
57a94379695470fe1f72b5ac0a5fc46402b2bba69fd822887f4b47302d919b93

SHA512
88b0af250410d81b62ab73e627426681b00706b6bbed16293f160b4e206e8fad0b83f44e2ecf7923fee9f93fa22a263377dc79ff56b3e14aa9e27b927fa1020a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa4503496ae0b44763bf00ef408de48f

SHA1
f723db7d07a8801fc280e68e4dd36f9ca46a80d1

SHA256
ca563ca6da047d137ff579f11b4672b20370568f143427ce82281ae02adb390e

SHA512
43977ab781bbb2672db785927c88e4a76bbc888eefe4bdaeb9339bb622d4902320a6fc2b778081623f1ab1d3e1b54beb87d90c9ffbe3f6ea5abae9d9759a80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71c4b1323b5c2b0b3dce79a418170c57

SHA1
f2484755165cc812bd2017c3ff93d7aef8e9f642

SHA256
b7151a59702581451ad3accb25d5aa7889a4d385142568331f42b0fcc2019872

SHA512
9048311d8ca08c33c090038fce1b5f28d22e1b9b0c1a6bb27f97619c778e2d474a3f10ab92c76bd487b94e059b5d066d1d960eec15b6a3a74355099494172e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oc0iiewk.wln.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RM034.tmp\f9fc23fe47d3c918c7bc24cbe14e56d9b0024e31660f2a280f3991291b3e5882.tmp

Filesize
1.2MB

MD5
70fcedd0d46d1c97af8e3eb4868c5bf1

SHA1
42ae1e3080be4720fc1bb97ef63d59f2f26e1558

SHA256
fcae74ccb09740303d86a88dd07db209721458e8eb48697f1c7d666a67dd5a07

SHA512
2cc42882fbdcd3d8bc4c3caa2116b76bd65fccff35e6058cfe67a80a307251b77bcbf17ddbd51e9d566f6810ac95ea33848da2a733cab6135d399dfaaf0c1020

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S60UE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ST74Q.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Roaming\7ntdll.drv

Filesize
4.2MB

MD5
0964f6b8db5ffcd0f8817a752ab91fc0

SHA1
1c625ee61cff5f030d080e8124b134542e1ceae7

SHA256
5f69aad1615fa97e4204b25c0bdcab15bc009f4368d8e15981dfbd3b1bb5f8f0

SHA512
2428f2dca314526df68ac5c3e142fc114166f2301d15aa5da5e9c2cdca2071709e806bcc94790f665fdd77d454107a0786f5314bcdedf4ce01280af729e568b6

Download Submit
memory/1916-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1916-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1916-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2724-53-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2724-21-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2724-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3020-33-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3020-51-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3268-104-0x00007FFDCC1C0000-0x00007FFDCC60C000-memory.dmp

Filesize
4.3MB

Download
memory/3320-123-0x00007FFDCC1C0000-0x00007FFDCC60C000-memory.dmp

Filesize
4.3MB

Download
memory/4264-25-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/4264-7-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/4288-62-0x000002211EE70000-0x000002211EE92000-memory.dmp

Filesize
136KB

Download
memory/4448-85-0x000000001D130000-0x000000001D1E2000-memory.dmp

Filesize
712KB

Download
memory/4448-86-0x00007FFDCC1C0000-0x00007FFDCC60C000-memory.dmp

Filesize
4.3MB

Download
memory/4448-84-0x000000001D020000-0x000000001D070000-memory.dmp

Filesize
320KB

Download
memory/4448-83-0x000000001C200000-0x000000001C524000-memory.dmp

Filesize
3.1MB

Download