njrat | 2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe
Size

9.8MB
MD5

fd86b6c98d65c9d38322424386034c81
SHA1

9c548ab70e4d4f18e92b5cdd62c909c58f5e9b66
SHA256

2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad
SHA512

6eed4fdb7b3c5896ffa93a20671e36068258425e2ac29edcedfd2638a2ea7a16b302ac8e91a91ef3061355ea1c0e154976476d1ea9d15409fe830cebf31a2f12
SSDEEP

196608:6C86m9+NO3mj55jt28jBDpOGce1rjUhz+XshT3olw39xPis5BskMoiE:6C86SMO3iDhBU5hT3o239xqo

Score

10^/10

njrat quasar defender hacked persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.6.0.0

Botnet

defender

20.82.128.5:4444

Mutex

HkuL6QRMZaTdYNlEJY

Attributes

encryption_key
auS4Dqyt2zp1gKolism7
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
C:\Users\neilish\Desktop\rat

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

20.199.40.163:4444

Mutex

Launcher

Attributes

reg_key
Launcher
splitter
|-F-|

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/888-73-0x0000000000400000-0x00000000007C2000-memory.dmp	family_quasar
behavioral1/memory/888-75-0x0000000000400000-0x00000000007C2000-memory.dmp	family_quasar
behavioral1/memory/888-76-0x0000000000400000-0x00000000007C2000-memory.dmp	family_quasar
behavioral1/memory/888-77-0x00000000007AC28E-mapping.dmp	family_quasar
behavioral1/memory/888-80-0x0000000000400000-0x00000000007C2000-memory.dmp	family_quasar
behavioral1/memory/888-82-0x0000000000400000-0x00000000007C2000-memory.dmp	family_quasar

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 8 IoCs

Processes:

proton_nutsed.exelauncher.exeproton_nutsed.exeproton_nutsed.exeFiveM_Launcher.exelauncher.exebuild.exeLancher.exe

pid	process
944	proton_nutsed.exe
1192	launcher.exe
1804	proton_nutsed.exe
888	proton_nutsed.exe
956	FiveM_Launcher.exe
680	launcher.exe
1040	build.exe
1092	Lancher.exe

Drops startup file 5 IoCs

Processes:

Lancher.exeattrib.exebuild.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.exe	Lancher.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.exe	Lancher.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.lnk	build.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.lnk	Lancher.exe

Loads dropped DLL 5 IoCs

Processes:

2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exelauncher.exebuild.exe

pid	process
1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe
1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe
1192	launcher.exe
1192	launcher.exe
1040	build.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

build.exeLancher.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Launcher2 = "C:\\Users\\Admin\\AppData\\Roaming\\Lancher.exe"	build.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Launcher2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Launcher.URL"	Lancher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Launcher2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Launcher.URL"	Lancher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Launcher.URL"	Lancher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Launcher.URL"	Lancher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

proton_nutsed.exe

description pid process target process

PID 944 set thread context of 888 944 proton_nutsed.exe proton_nutsed.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

284 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

proton_nutsed.exe

pid process

944 proton_nutsed.exe

flow	ioc
1	ip-api.com

description	pid	process	target process
PID 944 set thread context of 888	944	proton_nutsed.exe	proton_nutsed.exe

pid	process
284	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

proton_nutsed.exeproton_nutsed.exeLancher.exe

description	pid	process
Token: SeDebugPrivilege	944	proton_nutsed.exe
Token: SeDebugPrivilege	888	proton_nutsed.exe
Token: SeDebugPrivilege	1092	Lancher.exe
Token: 33	1092	Lancher.exe
Token: SeIncBasePriorityPrivilege	1092	Lancher.exe
Token: 33	1092	Lancher.exe
Token: SeIncBasePriorityPrivilege	1092	Lancher.exe
Token: 33	1092	Lancher.exe
Token: SeIncBasePriorityPrivilege	1092	Lancher.exe
Token: 33	1092	Lancher.exe
Token: SeIncBasePriorityPrivilege	1092	Lancher.exe
Token: 33	1092	Lancher.exe
Token: SeIncBasePriorityPrivilege	1092	Lancher.exe
Token: 33	1092	Lancher.exe
Token: SeIncBasePriorityPrivilege	1092	Lancher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exeproton_nutsed.exelauncher.exeproton_nutsed.exelauncher.exebuild.exeLancher.exe

description	pid	process	target process
PID 1516 wrote to memory of 944	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	proton_nutsed.exe
PID 1516 wrote to memory of 944	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	proton_nutsed.exe
PID 1516 wrote to memory of 944	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	proton_nutsed.exe
PID 1516 wrote to memory of 944	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	proton_nutsed.exe
PID 1516 wrote to memory of 1192	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	launcher.exe
PID 1516 wrote to memory of 1192	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	launcher.exe
PID 1516 wrote to memory of 1192	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	launcher.exe
PID 1516 wrote to memory of 1192	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	launcher.exe
PID 1516 wrote to memory of 1192	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	launcher.exe
PID 1516 wrote to memory of 1192	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	launcher.exe
PID 1516 wrote to memory of 1192	1516	2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe	launcher.exe
PID 944 wrote to memory of 1804	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 1804	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 1804	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 1804	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 888	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 888	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 888	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 888	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 888	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 888	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 888	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 888	944	proton_nutsed.exe	proton_nutsed.exe
PID 944 wrote to memory of 888	944	proton_nutsed.exe	proton_nutsed.exe
PID 1192 wrote to memory of 956	1192	launcher.exe	FiveM_Launcher.exe
PID 1192 wrote to memory of 956	1192	launcher.exe	FiveM_Launcher.exe
PID 1192 wrote to memory of 956	1192	launcher.exe	FiveM_Launcher.exe
PID 1192 wrote to memory of 956	1192	launcher.exe	FiveM_Launcher.exe
PID 1192 wrote to memory of 956	1192	launcher.exe	FiveM_Launcher.exe
PID 1192 wrote to memory of 956	1192	launcher.exe	FiveM_Launcher.exe
PID 1192 wrote to memory of 956	1192	launcher.exe	FiveM_Launcher.exe
PID 1192 wrote to memory of 680	1192	launcher.exe	launcher.exe
PID 1192 wrote to memory of 680	1192	launcher.exe	launcher.exe
PID 1192 wrote to memory of 680	1192	launcher.exe	launcher.exe
PID 1192 wrote to memory of 680	1192	launcher.exe	launcher.exe
PID 888 wrote to memory of 284	888	proton_nutsed.exe	schtasks.exe
PID 888 wrote to memory of 284	888	proton_nutsed.exe	schtasks.exe
PID 888 wrote to memory of 284	888	proton_nutsed.exe	schtasks.exe
PID 888 wrote to memory of 284	888	proton_nutsed.exe	schtasks.exe
PID 680 wrote to memory of 1040	680	launcher.exe	build.exe
PID 680 wrote to memory of 1040	680	launcher.exe	build.exe
PID 680 wrote to memory of 1040	680	launcher.exe	build.exe
PID 680 wrote to memory of 1040	680	launcher.exe	build.exe
PID 680 wrote to memory of 1040	680	launcher.exe	build.exe
PID 680 wrote to memory of 1040	680	launcher.exe	build.exe
PID 680 wrote to memory of 1040	680	launcher.exe	build.exe
PID 1040 wrote to memory of 1092	1040	build.exe	Lancher.exe
PID 1040 wrote to memory of 1092	1040	build.exe	Lancher.exe
PID 1040 wrote to memory of 1092	1040	build.exe	Lancher.exe
PID 1040 wrote to memory of 1092	1040	build.exe	Lancher.exe
PID 1040 wrote to memory of 1092	1040	build.exe	Lancher.exe
PID 1040 wrote to memory of 1092	1040	build.exe	Lancher.exe
PID 1040 wrote to memory of 1092	1040	build.exe	Lancher.exe
PID 1040 wrote to memory of 1608	1040	build.exe	attrib.exe
PID 1040 wrote to memory of 1608	1040	build.exe	attrib.exe
PID 1040 wrote to memory of 1608	1040	build.exe	attrib.exe
PID 1040 wrote to memory of 1608	1040	build.exe	attrib.exe
PID 1040 wrote to memory of 1608	1040	build.exe	attrib.exe
PID 1040 wrote to memory of 1608	1040	build.exe	attrib.exe
PID 1040 wrote to memory of 1608	1040	build.exe	attrib.exe
PID 1092 wrote to memory of 820	1092	Lancher.exe	attrib.exe
PID 1092 wrote to memory of 820	1092	Lancher.exe	attrib.exe
PID 1092 wrote to memory of 820	1092	Lancher.exe	attrib.exe
PID 1092 wrote to memory of 820	1092	Lancher.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1608 attrib.exe
820 attrib.exe
1252 attrib.exe

pid	process
1608	attrib.exe
820	attrib.exe
1252	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe
"C:\Users\Admin\AppData\Local\Temp\2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Roaming\proton_nutsed.exe
"C:\Users\Admin\AppData\Roaming\proton_nutsed.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Roaming\proton_nutsed.exe
"C:\Users\Admin\AppData\Roaming\proton_nutsed.exe"
3⤵
- Executes dropped EXE
PID:1804

C:\Users\Admin\AppData\Roaming\proton_nutsed.exe
"C:\Users\Admin\AppData\Roaming\proton_nutsed.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\neilish\Desktop\rat\Venom.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:284

C:\Users\Admin\AppData\Roaming\launcher.exe
"C:\Users\Admin\AppData\Roaming\launcher.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\FiveM_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\FiveM_Launcher.exe"
3⤵
- Executes dropped EXE
PID:956

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Roaming\Lancher.exe
"C:\Users\Admin\AppData\Roaming\Lancher.exe"
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.exe"
6⤵
- Drops startup file
- Views/modifies file attributes
PID:820

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Launcher.exe"
6⤵
- Views/modifies file attributes
PID:1252

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Lancher.exe"
5⤵
- Views/modifies file attributes
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FiveM_Launcher.exe
Filesize
4.1MB

MD5
d97d05bc66dd1f32b058efe158a8a0d7

SHA1
249f438bb523fa16535c5e136aced415ac9f500c

SHA256
6714c9c4d30e77ec4d73efaa3e599c2021ef5ada3806a0c2ffa660af147de4fd

SHA512
dc1775f16efeb82fb46212697987090d10bc965ef695481640b41956620b30905d6e2e56738696c36a30163bd8e47d5311a3b496702cc9b2ab4a286fb0209ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiveM_Launcher.exe
Filesize
4.1MB

MD5
d97d05bc66dd1f32b058efe158a8a0d7

SHA1
249f438bb523fa16535c5e136aced415ac9f500c

SHA256
6714c9c4d30e77ec4d73efaa3e599c2021ef5ada3806a0c2ffa660af147de4fd

SHA512
dc1775f16efeb82fb46212697987090d10bc965ef695481640b41956620b30905d6e2e56738696c36a30163bd8e47d5311a3b496702cc9b2ab4a286fb0209ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
27KB

MD5
c487633021a7d70b1d5be2a7879d018b

SHA1
b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0

SHA256
84df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1

SHA512
d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
27KB

MD5
c487633021a7d70b1d5be2a7879d018b

SHA1
b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0

SHA256
84df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1

SHA512
d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.exe
Filesize
115KB

MD5
92e7b3f8c98bf7e5364895375f1f21e0

SHA1
9bcdde5a659124a7eb104806164cba6a401a2cca

SHA256
f53dc81b434a31269a56a9493c9b3709293dc10d91acdc9eb081700152b52f1a

SHA512
d2d5ce098cc683cbf3c3af854ca790a1730d1723b72a3aec309f25266b92ac9806c5ad11c27119f9af9a17490d68dd312f831339a54eadb2152b916f4513a129

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.exe
Filesize
115KB

MD5
92e7b3f8c98bf7e5364895375f1f21e0

SHA1
9bcdde5a659124a7eb104806164cba6a401a2cca

SHA256
f53dc81b434a31269a56a9493c9b3709293dc10d91acdc9eb081700152b52f1a

SHA512
d2d5ce098cc683cbf3c3af854ca790a1730d1723b72a3aec309f25266b92ac9806c5ad11c27119f9af9a17490d68dd312f831339a54eadb2152b916f4513a129

Download Submit
C:\Users\Admin\AppData\Roaming\Lancher.exe
Filesize
27KB

MD5
c487633021a7d70b1d5be2a7879d018b

SHA1
b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0

SHA256
84df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1

SHA512
d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de

Download Submit
C:\Users\Admin\AppData\Roaming\Lancher.exe
Filesize
27KB

MD5
c487633021a7d70b1d5be2a7879d018b

SHA1
b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0

SHA256
84df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1

SHA512
d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.exe
Filesize
27KB

MD5
c487633021a7d70b1d5be2a7879d018b

SHA1
b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0

SHA256
84df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1

SHA512
d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.lnk
Filesize
1KB

MD5
27b9f33ef031b619b7f5f7efec809775

SHA1
e9a7e4ae086b3e99b4a9768cbe3e3b68581c2841

SHA256
91e176949520ba542530ef11c97924ad9fa16aabbddefc1beb00060867846606

SHA512
04b23c86dd2a83555d8f277b971c707b3f53c2a5270c332735aa5a60a0f813671f1bff190ffe5e467c60e848ece8b60c73bea8523d3536a06fb0cd66598956e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Launcher.lnk
Filesize
1020B

MD5
44ec086acb3735135e0a07b6ac1501e5

SHA1
23a98bdb2f277376687522265d26a474b40c23de

SHA256
d0593da0f72a4749438a5100ef06ce22d1ee8cddf871b54b55d3837a95633682

SHA512
d308c76ec847bd0101c06c0aa4efb1dd97942bd158097530499f892d277e3462b753b383cf9abf936dbb7eccb0c573bbbf5fcf13cb25bc61ab4a311ce97c5841

Download Submit
C:\Users\Admin\AppData\Roaming\launcher.exe
Filesize
7.5MB

MD5
cda766c0b83e282f69aaa18f3684b4c2

SHA1
bf7acb1048f02d3cb0738827d2ad326c99b92bde

SHA256
a793fe6608b572bc6052e1e4a77bbdf607a38b5194ae9e1bc1abecdb3e61dfb4

SHA512
1d5971172f54bddb35c8f98e0b7ac3d0f0e49e4a2272b732dfed2bbfa9e440d6a58af0c2b2b7553946cf6540c6df22884476e6bfb159dd12cddff249c70f0ed6

Download Submit
C:\Users\Admin\AppData\Roaming\launcher.exe
Filesize
7.5MB

MD5
cda766c0b83e282f69aaa18f3684b4c2

SHA1
bf7acb1048f02d3cb0738827d2ad326c99b92bde

SHA256
a793fe6608b572bc6052e1e4a77bbdf607a38b5194ae9e1bc1abecdb3e61dfb4

SHA512
1d5971172f54bddb35c8f98e0b7ac3d0f0e49e4a2272b732dfed2bbfa9e440d6a58af0c2b2b7553946cf6540c6df22884476e6bfb159dd12cddff249c70f0ed6

Download Submit
C:\Users\Admin\AppData\Roaming\proton_nutsed.exe
Filesize
3.8MB

MD5
b0ea73cc98e5b248955ae7bac0f9d031

SHA1
18e03a76d01d7f8b423cabb42134f8149732cdea

SHA256
c2ea4b1081b9d58f43bf9f695044782b10fd4884bf90ad9ca068a181fb578f64

SHA512
5794fcbee980e3e865ce0547819d55e3ec3dfcbdf5239fc0642a4c6519ac072d4193f846506e6b8f810fe3feeea9bd0861716981cebd4868949184d9d520e83f

Download Submit
C:\Users\Admin\AppData\Roaming\proton_nutsed.exe
Filesize
3.8MB

MD5
b0ea73cc98e5b248955ae7bac0f9d031

SHA1
18e03a76d01d7f8b423cabb42134f8149732cdea

SHA256
c2ea4b1081b9d58f43bf9f695044782b10fd4884bf90ad9ca068a181fb578f64

SHA512
5794fcbee980e3e865ce0547819d55e3ec3dfcbdf5239fc0642a4c6519ac072d4193f846506e6b8f810fe3feeea9bd0861716981cebd4868949184d9d520e83f

Download Submit
C:\Users\Admin\AppData\Roaming\proton_nutsed.exe
Filesize
3.8MB

MD5
b0ea73cc98e5b248955ae7bac0f9d031

SHA1
18e03a76d01d7f8b423cabb42134f8149732cdea

SHA256
c2ea4b1081b9d58f43bf9f695044782b10fd4884bf90ad9ca068a181fb578f64

SHA512
5794fcbee980e3e865ce0547819d55e3ec3dfcbdf5239fc0642a4c6519ac072d4193f846506e6b8f810fe3feeea9bd0861716981cebd4868949184d9d520e83f

Download Submit
C:\Users\Admin\AppData\Roaming\proton_nutsed.exe
Filesize
3.8MB

MD5
b0ea73cc98e5b248955ae7bac0f9d031

SHA1
18e03a76d01d7f8b423cabb42134f8149732cdea

SHA256
c2ea4b1081b9d58f43bf9f695044782b10fd4884bf90ad9ca068a181fb578f64

SHA512
5794fcbee980e3e865ce0547819d55e3ec3dfcbdf5239fc0642a4c6519ac072d4193f846506e6b8f810fe3feeea9bd0861716981cebd4868949184d9d520e83f

Download Submit
\Users\Admin\AppData\Local\Temp\FiveM_Launcher.exe
Filesize
4.1MB

MD5
d97d05bc66dd1f32b058efe158a8a0d7

SHA1
249f438bb523fa16535c5e136aced415ac9f500c

SHA256
6714c9c4d30e77ec4d73efaa3e599c2021ef5ada3806a0c2ffa660af147de4fd

SHA512
dc1775f16efeb82fb46212697987090d10bc965ef695481640b41956620b30905d6e2e56738696c36a30163bd8e47d5311a3b496702cc9b2ab4a286fb0209ae1

Download Submit
\Users\Admin\AppData\Local\Temp\launcher.exe
Filesize
115KB

MD5
92e7b3f8c98bf7e5364895375f1f21e0

SHA1
9bcdde5a659124a7eb104806164cba6a401a2cca

SHA256
f53dc81b434a31269a56a9493c9b3709293dc10d91acdc9eb081700152b52f1a

SHA512
d2d5ce098cc683cbf3c3af854ca790a1730d1723b72a3aec309f25266b92ac9806c5ad11c27119f9af9a17490d68dd312f831339a54eadb2152b916f4513a129

Download Submit
\Users\Admin\AppData\Roaming\Lancher.exe
Filesize
27KB

MD5
c487633021a7d70b1d5be2a7879d018b

SHA1
b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0

SHA256
84df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1

SHA512
d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de

Download Submit
\Users\Admin\AppData\Roaming\launcher.exe
Filesize
7.5MB

MD5
cda766c0b83e282f69aaa18f3684b4c2

SHA1
bf7acb1048f02d3cb0738827d2ad326c99b92bde

SHA256
a793fe6608b572bc6052e1e4a77bbdf607a38b5194ae9e1bc1abecdb3e61dfb4

SHA512
1d5971172f54bddb35c8f98e0b7ac3d0f0e49e4a2272b732dfed2bbfa9e440d6a58af0c2b2b7553946cf6540c6df22884476e6bfb159dd12cddff249c70f0ed6

Download Submit
\Users\Admin\AppData\Roaming\proton_nutsed.exe
Filesize
3.8MB

MD5
b0ea73cc98e5b248955ae7bac0f9d031

SHA1
18e03a76d01d7f8b423cabb42134f8149732cdea

SHA256
c2ea4b1081b9d58f43bf9f695044782b10fd4884bf90ad9ca068a181fb578f64

SHA512
5794fcbee980e3e865ce0547819d55e3ec3dfcbdf5239fc0642a4c6519ac072d4193f846506e6b8f810fe3feeea9bd0861716981cebd4868949184d9d520e83f

Download Submit
memory/284-96-0x0000000000000000-mapping.dmp

Download
memory/680-89-0x0000000000000000-mapping.dmp

Download
memory/680-95-0x0000000000320000-0x0000000000344000-memory.dmp

Filesize
144KB

Download
memory/820-114-0x0000000000000000-mapping.dmp

Download
memory/888-73-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/888-82-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/888-80-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/888-77-0x00000000007AC28E-mapping.dmp

Download
memory/888-76-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/888-75-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/888-71-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/888-70-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/944-68-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/944-57-0x0000000000000000-mapping.dmp

Download
memory/944-64-0x0000000000940000-0x0000000000D08000-memory.dmp

Filesize
3.8MB

Download
memory/956-86-0x0000000000000000-mapping.dmp

Download
memory/956-102-0x00000000008E6000-0x00000000008F7000-memory.dmp

Filesize
68KB

Download
memory/956-94-0x0000000000A40000-0x0000000000E5E000-memory.dmp

Filesize
4.1MB

Download
memory/1040-110-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/1040-97-0x0000000000000000-mapping.dmp

Download
memory/1040-101-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/1092-109-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/1092-104-0x0000000000000000-mapping.dmp

Download
memory/1092-119-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/1192-67-0x0000000000CB0000-0x000000000142E000-memory.dmp

Filesize
7.5MB

Download
memory/1192-61-0x0000000000000000-mapping.dmp

Download
memory/1192-83-0x0000000005720000-0x0000000005ADC000-memory.dmp

Filesize
3.7MB

Download
memory/1252-115-0x0000000000000000-mapping.dmp

Download
memory/1516-65-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1516-55-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-108-0x0000000000000000-mapping.dmp

Download