quasar | 722b72dc48a27d091bf8904c3cb4b71613eceaa099122c070a1f16880dcbc5bd

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2023, 07:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dfab2d1e82849333afbacbee3c34f3ee.exe
Size

1.5MB
MD5

dfab2d1e82849333afbacbee3c34f3ee
SHA1

f5de021e17f4e080302a1a10f8471b3ccccbaba7
SHA256

722b72dc48a27d091bf8904c3cb4b71613eceaa099122c070a1f16880dcbc5bd
SHA512

156ee882e000adca7609e3fd20208abbef501a98cd290f48e1e35aaeb3ff95c1bf45f7f052f689182a37f89de022cb3710d4020c6a542187a629c7846a62e840
SSDEEP

24576:DWmAFubSDY4ImEadU/WnVW+g1koqHEjj075OCRMY9U0qbuoiRLzFwJsB0nUWpvWL:L20tLv/avgGdkjjQuY9UuogVBsUgm

Score

10^/10

quasar 2 spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

64.52.80.152:4782

Mutex

rilN1fAD44GAdui4NQWxRcZ5xvcTflQkoO1X

Attributes

encryption_key
Bdpmr7D1QFqfxRDrBKr2
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4428-237-0x0000000000580000-0x00000000005CE000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4592 created 1292	4592	Gifts.exe.pif	26

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwRCiDfhzi.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwRCiDfhzi.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1924	Engine.exe
4592	Gifts.exe.pif

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001f73a-149.dat	upx
behavioral2/files/0x000200000001f73a-150.dat	upx
behavioral2/memory/1924-152-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral2/memory/1924-229-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral2/memory/1924-232-0x0000000000400000-0x0000000000557000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4592 set thread context of 4428	4592	Gifts.exe.pif	107

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1529757233-3489015626-3409890339-1000\{5FB7EEA9-C1E4-4E94-BB8C-155B5597D415}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1529757233-3489015626-3409890339-1000\{9E8E02DF-456A-46AE-8395-248311E14EEB}	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4780	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2312	powershell.exe
2312	powershell.exe
2312	powershell.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	4428	jsc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4592	Gifts.exe.pif
4592	Gifts.exe.pif
4592	Gifts.exe.pif

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1848	OpenWith.exe
4428	jsc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1924	1764	dfab2d1e82849333afbacbee3c34f3ee.exe	86
PID 1764 wrote to memory of 1924	1764	dfab2d1e82849333afbacbee3c34f3ee.exe	86
PID 1764 wrote to memory of 1924	1764	dfab2d1e82849333afbacbee3c34f3ee.exe	86
PID 1924 wrote to memory of 652	1924	Engine.exe	87
PID 1924 wrote to memory of 652	1924	Engine.exe	87
PID 1924 wrote to memory of 652	1924	Engine.exe	87
PID 652 wrote to memory of 2436	652	CmD.exe	90
PID 652 wrote to memory of 2436	652	CmD.exe	90
PID 652 wrote to memory of 2436	652	CmD.exe	90
PID 2436 wrote to memory of 2312	2436	cmd.exe	92
PID 2436 wrote to memory of 2312	2436	cmd.exe	92
PID 2436 wrote to memory of 2312	2436	cmd.exe	92
PID 2436 wrote to memory of 4076	2436	cmd.exe	93
PID 2436 wrote to memory of 4076	2436	cmd.exe	93
PID 2436 wrote to memory of 4076	2436	cmd.exe	93
PID 2436 wrote to memory of 2752	2436	cmd.exe	94
PID 2436 wrote to memory of 2752	2436	cmd.exe	94
PID 2436 wrote to memory of 2752	2436	cmd.exe	94
PID 2436 wrote to memory of 4592	2436	cmd.exe	95
PID 2436 wrote to memory of 4592	2436	cmd.exe	95
PID 2436 wrote to memory of 4592	2436	cmd.exe	95
PID 2436 wrote to memory of 4780	2436	cmd.exe	96
PID 2436 wrote to memory of 4780	2436	cmd.exe	96
PID 2436 wrote to memory of 4780	2436	cmd.exe	96
PID 4592 wrote to memory of 4984	4592	Gifts.exe.pif	97
PID 4592 wrote to memory of 4984	4592	Gifts.exe.pif	97
PID 4592 wrote to memory of 4984	4592	Gifts.exe.pif	97
PID 4592 wrote to memory of 4428	4592	Gifts.exe.pif	107
PID 4592 wrote to memory of 4428	4592	Gifts.exe.pif	107
PID 4592 wrote to memory of 4428	4592	Gifts.exe.pif	107
PID 4592 wrote to memory of 4428	4592	Gifts.exe.pif	107
PID 4592 wrote to memory of 4428	4592	Gifts.exe.pif	107

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1292
- C:\Users\Admin\AppData\Local\Temp\dfab2d1e82849333afbacbee3c34f3ee.exe
  "C:\Users\Admin\AppData\Local\Temp\dfab2d1e82849333afbacbee3c34f3ee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\SETUP_10375\Engine.exe
    C:\Users\Admin\AppData\Local\Temp\SETUP_10375\Engine.exe /TH_ID=_1636 /OriginExe="C:\Users\Admin\AppData\Local\Temp\dfab2d1e82849333afbacbee3c34f3ee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\CmD.exe
      C:\Windows\system32\CmD.exe /c cmd < Deutsch
      4⤵
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^letterNorwegianValidityFootageRoland$" Paragraph
        6⤵
        
        PID:2752
      - C:\Users\Admin\AppData\Local\Temp\gpclkuua.q1o\1224\Gifts.exe.pif
        
        1224\\Gifts.exe.pif 1224\\v
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4428
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 8
        6⤵
        Runs ping.exe
        
        PID:4780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwRCiDfhzi.url" & echo URL="C:\Users\Admin\AppData\Local\qwdxQhnvfl\zkRQWjS.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwRCiDfhzi.url"
  2⤵
  - Drops startup file
  PID:4984

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b1ca171ae4d5cdafee871c3f11d51f03

SHA1
c22dce0c9084e7f7acd2c8535ca0f114844a4953

SHA256
a8f531946b1dc179028d5de941690a4f4095159797eeea18ba3068c76c6aaa44

SHA512
e8e07ca5029bec3c5a320ae8ae7a5607bc43682e8f4c11f6bbc20c5e51fa1b0290cf94dcfcd3e15a72b43dfd90d6eaf863a02d7b33f891d5a4389e4aae55a922

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\00000#Attendance

Filesize
171KB

MD5
870e5214121b2a65b1fe3ec3009d7545

SHA1
af6b1befe9ba08bc464a2f021b6e0d62dcad2bdf

SHA256
92fba14b16b52eada9d34032c964038d15a1307d81d533ce4f52520520574b64

SHA512
95ba0abf7f15fc907bce137ce5a0333101122b56ee36b5525ce3a8f441c992ffcbde9c0a30e0949ddabf488eed8807d5b4078c3de894a242091663693462ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\00001#Ben

Filesize
1.1MB

MD5
027c878438bae683a346444b983fd4e8

SHA1
c5b8319366615996dceb05a75c2308a519298c65

SHA256
3a0819eeea75870aac41d2b4bbaa145bc8c68a0104052e419c592c2179b7786b

SHA512
a88128bb04048412ec23d95bd9d70a04e9348f2e84a81942f0692f5014e15b225e526ac647cd1521cf81f4fc859d3a43298c90df0ff18b3d219d2295b54828da

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\00002#Circles

Filesize
100KB

MD5
08a6529e590cf73f4bf49958b3142a70

SHA1
2a7d6ed01dad1d84f3fadfa25cd4db151c9c8b99

SHA256
f1785498f3dc7b4946409bbdafcb29c46aacfea69b05616922c7c495856c7fc5

SHA512
8548f2907a5dbaff9b38bcac672c6a340a59db915377f5214ba7dbaa2748f5fa18f299a35d009f3fcf9502522dd9fcd7ab16a9f9f5ad1df1fdd6a1768845d3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\00003#Deutsch

Filesize
14KB

MD5
d7989212e6fc5ea9bea50da73e78d91b

SHA1
e04a48ae6d95b152dc353c52661d52fd172830d2

SHA256
604ccda0504eb5fc007b5ea50e24473179a87a56508c1a3b6d9b320a36bd2265

SHA512
8d0741996914224f57660b2d80e6429e96696731e243841b95e19050a7801286bd1d4c62110563a1198fdda07dc05fc80b7a3c29455e445b6f5425494321eb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\00004#Kate

Filesize
193KB

MD5
24a472df838100d6b94a8c254cdf99a2

SHA1
57970b8186788d5c488e21381b5e16b7318516d7

SHA256
3a72727aabeef2d4a4dc01911fd87e6b88f0e557d620b4845fa28b2f34f60671

SHA512
3c01652a3da4addabfeb2877fb936f7349fdf71ec7b431a33707315a2ac6904c9d5e68c3ff3f7224bd807f36bf795d25147bbb7c5c0977a7ffcc2a80adb2ffcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\00005#Magnet

Filesize
21KB

MD5
70bfbac48fc824d7614b582220ff7f64

SHA1
5d9f20c7a30887e34f6532eeaeea44fdb5232a8c

SHA256
887cb239b8888aa38b60170f170aef828ee22e0adf8573281b2f95cbb7ae6a8d

SHA512
dc05b881554f85ad81e36ce574322c7c8672db624a9b9be00051be0a4f6bfec2ef7f79bd12072239529073bd52a0d054bade6b5d19cf3c259e1700ba9ea47ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\00006#Measuring

Filesize
181KB

MD5
af479f5d1bf33e8dbb9599847012123c

SHA1
6dc9113d35e1c947bbe2dd388078a42731a30b05

SHA256
515d544da2083f5ddaf47439ce51ac4eb9c5d1315d7a3290ba12fcde88391a35

SHA512
d97d72b5f95f47c28d60958e3388be92c33d7fdcfd11e264737e52e205424f4ea78f9737984c9069b5ce307264ffd580e590a9e995a3db8b7982cb050b2665ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\00007#Practitioners

Filesize
76KB

MD5
0954a3caf5aa8182b44fa4f8026793e5

SHA1
e769c7bc10f0183d09ea11f2c3591b455a3019f4

SHA256
fb136d7d5c031d54a1b054c5e669e00f2b1f973ca8c90ae715fff41c10f48f57

SHA512
0cc34d29d4be01a34b13c081dcab44c403e19ceedc520253f7fbe8138b7e3314242d779b63ee1823e6945adc54203e406421c0f7dfa1937f625451cf4344e12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\00008#Seafood

Filesize
58KB

MD5
513f2bc1f6636b07100d47ce6097071e

SHA1
c93cac56a81f7c3fbcc6641a4d7edbe7ec8298be

SHA256
19ce5db8c77d5806ee6960bf919b2462e208a17e7f94cfe5ee5cae519c70cf1b

SHA512
bf648c2557757b6b5991e4fdeaed336b4acbb94bc24d1ffec4314a22b4b811cc41b159982522df411b9c3a5ce45a88c996f31d206a26e5d677b02a9bb30d2aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\00009#Thought

Filesize
125KB

MD5
8265ec17711f9634ceb593167b865c5d

SHA1
05ee846548f562fe2bde65be803a4e9ffa3a12dc

SHA256
78f25fb5453a158287c5b19f397afeae888dbdf141863e78e55ac3a41b412fd9

SHA512
ccb48b71516510b5af9da04f1be6bbc12d592d14b8b2704c5fff9e2d3a0ce2c4162235d5edfb439faa14b17204b558c3387f2127862ab40601e065f6b39fe275

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\Engine.exe

Filesize
418KB

MD5
79f445791cf89c3f7e0ca29485757b6d

SHA1
e325ab8bcd7258e8f284cec604d821c3590ec310

SHA256
32cd48eb22bbc8014375c5cab25e15977d3100716ce24e01a24ed03541fef9e4

SHA512
87cda6f632696c6a48785315f116a8710aeed53cb38f6e39abc541dc59858fa91f26fbf594587fa94f2c3f5456d0610709b3da9a05c0f1ae5e42f9edf6a5b4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\Engine.exe

Filesize
418KB

MD5
79f445791cf89c3f7e0ca29485757b6d

SHA1
e325ab8bcd7258e8f284cec604d821c3590ec310

SHA256
32cd48eb22bbc8014375c5cab25e15977d3100716ce24e01a24ed03541fef9e4

SHA512
87cda6f632696c6a48785315f116a8710aeed53cb38f6e39abc541dc59858fa91f26fbf594587fa94f2c3f5456d0610709b3da9a05c0f1ae5e42f9edf6a5b4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_10375\Setup.txt

Filesize
2KB

MD5
2e5db80d60ec22c22ab56788800bf103

SHA1
75ded6e420f3d974eff48aaaa349218e7962d17d

SHA256
77a80925bbbcdfa9c989a9b50429cd6d51053f9c0d8d7f466a247206b9479837

SHA512
47909584130e5292e1c639d4755b200fc0552056c30d331dcbb0bb470cf9d149ecf0cbb4059ef3fbf9bfaea99616a9eedba01fa2febb2a7e7177a9cbd999366a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nh5aio51.bmz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpclkuua.q1o\1224\Gifts.exe.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpclkuua.q1o\1224\Gifts.exe.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpclkuua.q1o\Paragraph

Filesize
925KB

MD5
293d72e4e1c0f77098a4cefc966fb243

SHA1
55b2ca74fd0cbc597810cda774ff9e031088ca2a

SHA256
85a97e78df97d39243a3a103712c3dfab75529361759fb3459d5d33ab89417d4

SHA512
97d18a43a6f30f1c0b7e7c19921bf84f59799142444e2bb7661f76f64fa3c5cdbf4d27d4602d49189f5989502fc4bc653756518a6d793acd542872f517fb23aa

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/1764-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-232-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1924-153-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1924-230-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1924-229-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1924-152-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2312-200-0x0000000007D50000-0x00000000082F4000-memory.dmp

Filesize
5.6MB

Download
memory/2312-195-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/2312-191-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2312-179-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/2312-182-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/2312-181-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/2312-180-0x0000000005920000-0x0000000005F48000-memory.dmp

Filesize
6.2MB

Download
memory/2312-183-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/2312-198-0x0000000006C20000-0x0000000006C3A000-memory.dmp

Filesize
104KB

Download
memory/2312-196-0x0000000007700000-0x0000000007796000-memory.dmp

Filesize
600KB

Download
memory/2312-189-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2312-199-0x0000000006CA0000-0x0000000006CC2000-memory.dmp

Filesize
136KB

Download
memory/4076-205-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4076-204-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4428-237-0x0000000000580000-0x00000000005CE000-memory.dmp

Filesize
312KB

Download
memory/4428-239-0x0000000004AD0000-0x0000000004B62000-memory.dmp

Filesize
584KB

Download
memory/4428-240-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4428-241-0x0000000005BB0000-0x0000000005BC2000-memory.dmp

Filesize
72KB

Download
memory/4428-242-0x0000000006120000-0x000000000615C000-memory.dmp

Filesize
240KB

Download
memory/4428-244-0x00000000064A0000-0x00000000064AA000-memory.dmp

Filesize
40KB

Download
memory/4428-245-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4592-236-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download