quasar | e4bdfc5dee2559aba73e88fa3c0185821d328a1ead618e578352623687fa9ae7

Analysis

max time kernel
1050s
max time network
1049s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-12-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dox Tool V3 Cracked.rar
Size

1.6MB
MD5

a80d21cb7ec32c7b82b02186fb6e7751
SHA1

bdad4f5b2eaeaa763710bb10aff89215c3321474
SHA256

e4bdfc5dee2559aba73e88fa3c0185821d328a1ead618e578352623687fa9ae7
SHA512

d658f889912ba79b1155096148681e9bffa726743cdad9178bb3004785433f1ed74fbc18016556120ed03cdd49632ce495762a700fe8cec349156ecc5638544e
SSDEEP

49152:+C8NlxWSwOcsNlkAfTqNZZUakzfTqNNZBe:F8Nl8STAA7yZUx7iZBe

Score

10^/10

quasar office04 discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

192.168.1.11:4782

Mutex

QSR_MUTEX_f39lWqYnYtP5YngtM5

Attributes

encryption_key
c5q7P5jsfrwN6nB5c3mG
install_name
SystemUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002ac0c-125.dat	family_quasar
behavioral1/memory/4908-144-0x0000000000C10000-0x0000000000C6E000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3488	powershell.exe
860	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk	Launcher.exe

Executes dropped EXE 14 IoCs

pid	Process
1832	Dox Tool V3 Cracked.exe
2812	Launcher.exe
3304	doxsys.exe
2340	svchost.exe
4088	Dox Tool V3 Cracked.exe
4908	WindowsUpdate.exe
3460	DOX.exe
3672	Windows Services.exe
2464	HQUHlwGxWA.exe
424	Secure System Shell.exe
3000	Runtime Explorer.exe
3144	SystemUpdate.exe
4324	svchost.exe
4788	HQUHlwGxWA.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	Launcher.exe
2812	Launcher.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Runtime Explorer.exe\""	Runtime Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows 10 Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7zE4D91B458\Virus Total\desktop.ini	7zFM.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\7zE4D91B458\Virus Total\desktop.ini	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked\Virus Total\desktop.ini	7zFM.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked\Virus Total\desktop.ini	7zFM.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
2	icanhazip.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SubDir\SystemUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\SystemUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\SystemUpdate.exe	SystemUpdate.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	SystemUpdate.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\IMF\Windows Services.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Windows Services.exe	Launcher.exe
File created	C:\Windows\IMF\Secure System Shell.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Secure System Shell.exe	Launcher.exe
File created	C:\Windows\IMF\LICENCE.zip	Launcher.exe
File created	C:\Windows\IMF\Runtime Explorer.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Runtime Explorer.exe	Launcher.exe
File opened for modification	C:\Windows\IMF\LICENCE.zip	Launcher.exe
File created	C:\Windows\IMF\LICENCE.dat	Launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Secure System Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dox Tool V3 Cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dox Tool V3 Cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doxsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SystemUpdate.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3636	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4704	schtasks.exe
4884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2812	Launcher.exe
3488	powershell.exe
3488	powershell.exe
3672	Windows Services.exe
3672	Windows Services.exe
3672	Windows Services.exe
3672	Windows Services.exe
424	Secure System Shell.exe
860	powershell.exe
860	powershell.exe
860	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2516	7zFM.exe
3144	SystemUpdate.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2516	7zFM.exe
Token: 35	2516	7zFM.exe
Token: SeSecurityPrivilege	2516	7zFM.exe
Token: SeSecurityPrivilege	2516	7zFM.exe
Token: SeDebugPrivilege	2812	Launcher.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	2340	svchost.exe
Token: SeDebugPrivilege	4908	WindowsUpdate.exe
Token: SeDebugPrivilege	3672	Windows Services.exe
Token: SeDebugPrivilege	424	Secure System Shell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	3144	SystemUpdate.exe
Token: SeDebugPrivilege	3460	DOX.exe
Token: SeDebugPrivilege	4324	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2516	7zFM.exe
2516	7zFM.exe
2516	7zFM.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3000	Runtime Explorer.exe
3144	SystemUpdate.exe
4324	svchost.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2812	1832	Dox Tool V3 Cracked.exe	85
PID 1832 wrote to memory of 2812	1832	Dox Tool V3 Cracked.exe	85
PID 1832 wrote to memory of 2812	1832	Dox Tool V3 Cracked.exe	85
PID 2812 wrote to memory of 3488	2812	Launcher.exe	86
PID 2812 wrote to memory of 3488	2812	Launcher.exe	86
PID 2812 wrote to memory of 3488	2812	Launcher.exe	86
PID 1832 wrote to memory of 3304	1832	Dox Tool V3 Cracked.exe	88
PID 1832 wrote to memory of 3304	1832	Dox Tool V3 Cracked.exe	88
PID 1832 wrote to memory of 3304	1832	Dox Tool V3 Cracked.exe	88
PID 3304 wrote to memory of 2340	3304	doxsys.exe	89
PID 3304 wrote to memory of 2340	3304	doxsys.exe	89
PID 3304 wrote to memory of 4088	3304	doxsys.exe	90
PID 3304 wrote to memory of 4088	3304	doxsys.exe	90
PID 3304 wrote to memory of 4088	3304	doxsys.exe	90
PID 4088 wrote to memory of 4908	4088	Dox Tool V3 Cracked.exe	91
PID 4088 wrote to memory of 4908	4088	Dox Tool V3 Cracked.exe	91
PID 4088 wrote to memory of 4908	4088	Dox Tool V3 Cracked.exe	91
PID 4088 wrote to memory of 3460	4088	Dox Tool V3 Cracked.exe	92
PID 4088 wrote to memory of 3460	4088	Dox Tool V3 Cracked.exe	92
PID 4088 wrote to memory of 3460	4088	Dox Tool V3 Cracked.exe	92
PID 2812 wrote to memory of 3672	2812	Launcher.exe	93
PID 2812 wrote to memory of 3672	2812	Launcher.exe	93
PID 2812 wrote to memory of 3672	2812	Launcher.exe	93
PID 2340 wrote to memory of 2464	2340	svchost.exe	95
PID 2340 wrote to memory of 2464	2340	svchost.exe	95
PID 3672 wrote to memory of 424	3672	Windows Services.exe	96
PID 3672 wrote to memory of 424	3672	Windows Services.exe	96
PID 3672 wrote to memory of 424	3672	Windows Services.exe	96
PID 3672 wrote to memory of 3000	3672	Windows Services.exe	97
PID 3672 wrote to memory of 3000	3672	Windows Services.exe	97
PID 3672 wrote to memory of 3000	3672	Windows Services.exe	97
PID 4908 wrote to memory of 4704	4908	WindowsUpdate.exe	98
PID 4908 wrote to memory of 4704	4908	WindowsUpdate.exe	98
PID 4908 wrote to memory of 4704	4908	WindowsUpdate.exe	98
PID 3000 wrote to memory of 860	3000	Runtime Explorer.exe	100
PID 3000 wrote to memory of 860	3000	Runtime Explorer.exe	100
PID 3000 wrote to memory of 860	3000	Runtime Explorer.exe	100
PID 4908 wrote to memory of 3144	4908	WindowsUpdate.exe	102
PID 4908 wrote to memory of 3144	4908	WindowsUpdate.exe	102
PID 4908 wrote to memory of 3144	4908	WindowsUpdate.exe	102
PID 3144 wrote to memory of 4884	3144	SystemUpdate.exe	103
PID 3144 wrote to memory of 4884	3144	SystemUpdate.exe	103
PID 3144 wrote to memory of 4884	3144	SystemUpdate.exe	103
PID 2340 wrote to memory of 4324	2340	svchost.exe	105
PID 2340 wrote to memory of 4324	2340	svchost.exe	105
PID 4324 wrote to memory of 4788	4324	svchost.exe	106
PID 4324 wrote to memory of 4788	4324	svchost.exe	106

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.rar"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3716

C:\Users\Admin\Desktop\jy\Dox Tool V3 Cracked.exe
"C:\Users\Admin\Desktop\jy\Dox Tool V3 Cracked.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\Desktop\jy\data\Launcher.exe
  "C:\Users\Admin\Desktop\jy\data\Launcher.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
- - C:\Windows\IMF\Windows Services.exe
    "C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\IMF\Secure System Shell.exe
      "C:\Windows\IMF\Secure System Shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:424
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Users\Admin\AppData\Roaming\
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
- C:\Users\Admin\Desktop\jy\data\doxsys.exe
  "C:\Users\Admin\Desktop\jy\data\doxsys.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
      "C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"
      4⤵
      Executes dropped EXE
      PID:2464
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"
        5⤵
        Executes dropped EXE
        
        PID:4788
- - C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4704
    - - C:\Windows\SysWOW64\SubDir\SystemUpdate.exe
        
        "C:\Windows\SysWOW64\SubDir\SystemUpdate.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\SystemUpdate.exe" /rl HIGHEST /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\DOX.exe
      "C:\Users\Admin\AppData\Local\Temp\DOX.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3460

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\jy\Results\hits.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a6f5d13be6003bc55917d6f465ba6b39

SHA1
27610445e4deab0a460715e1bb55da80977d9ccd

SHA256
44b7165de7a33f9ce1e58fc51bdd7c2f34432d54ec77b496806453cafebc69fe

SHA512
164fb35d569814200fb836c87ef9f67e029ae44c17f7c67c698a23f592b281018c6db2a9a34ca4ae86cbd6df94f2d46534dbe5b2dadb85982c0a7878fee74391

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4D91B458\data\Newtonsoft.Json.dll

Filesize
659KB

MD5
4df6c8781e70c3a4912b5be796e6d337

SHA1
cbc510520fcd85dbc1c82b02e82040702aca9b79

SHA256
3598cccad5b535fea6f93662107a4183bfd6167bf1d0f80260436093edc2e3af

SHA512
964d9813e4d11e1e603e0a9627885c52034b088d0b0dfa5ac0043c27df204e621a2a654445f440ae318e15b1c5fea5c469da9e6a7350a787fef9edf6f0418e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4D91B458\data\Search.ProtocolHandler.MAPI2.dll

Filesize
276KB

MD5
1eff11ced2866665f101892e9d097d14

SHA1
3aeec6fb969b0036c6f940db4ce1e63bde607518

SHA256
a90c1a13965f534565f98b4a7c0de5804b35482e9668f3d60df8a1c039e51ad9

SHA512
4c1b8423f5c43f1676e9625af0ada601e19283744992c148c0f8e79bff655c56e694a866da9fa3eab178c231457d30d371e5b469045a45d26814937bbc171fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4D91B458\data\Tesseract.dll

Filesize
122KB

MD5
8eef5f1c4e31c2b9a240a906d87ac0c4

SHA1
d7727a01aba3a5fa71338ef1287575ce64e6cdb4

SHA256
118c10d00e5b366cdef45e334ff928513a3c6e1f55d19deb3a1527796c5ca3b4

SHA512
c94b376147b60e09c931440f956466255731fe5dbe021f53a30b6f0a63506f5ad1b834b96ffa38828797f0536ea13c1ae10911cffee1ba485aa3455acff4953d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4D91B458\data\sqlmap.conf

Filesize
19KB

MD5
d996323d71a04ce49f1ccbf36e5269dd

SHA1
b162bd7f60c823aa9abc5d185050d234688a6673

SHA256
bc5836e6e6e97290914afde652237450092729ee31634da6ab71b435a39ebde6

SHA512
3cebae3204f9eacf5269a754ae332ab5979b0931f3bd35093725ebb594e1a9a6ff37ef7e40b1dc92057314f2621097c8ffc558f1e70b200bcd3c298212c3f49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOX.exe

Filesize
154KB

MD5
670f75850165e3c3ef0df41e1565ff58

SHA1
784ae13c951ac390d7dea0071c97aded6800b708

SHA256
fb128eba50fac8bc22faac39de602c306809cb37167b950bd194eb0bd9832812

SHA512
c0355235fbce7829dbcd3fac26ec5663b09c880826a014599127f330ddd3c16a95a0ab973fa75ddbb4ce0f8756ab2494739b04d1fda0bb799d577e493c9ca9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe

Filesize
688KB

MD5
19d55f26a6237985cb72c59c08d4828f

SHA1
8bc51ad39e35f9be7d46e9e90e754e07d9c88b80

SHA256
317f9d304aea7c5a4b3516f5379a63e2a4fec91578f3c3f69507c8167798062e

SHA512
7a9de012783f9323264fb59739b76195acedd846ea15382d67e5ab19325269a37647865aaa44da9a97fb8eacdf365c1b6c55c0920c46a6cdca6a7c73b09e19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe

Filesize
20KB

MD5
0d282d4eb8db6d5152b4e5fd3e2064b5

SHA1
72cec747647d5d0f6ef2e5ddb34f1db68fc183e5

SHA256
8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061

SHA512
16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebCam_Capture.dll

Filesize
20KB

MD5
94306f6cf69f7e7c0b4f10ea499f73dd

SHA1
3228b4c2ca9109aa86f2810afc3d528947501c92

SHA256
ed937977d846c19ea5a721c8f720dafc4c697c2b136c17d66d7b6a4200090a7e

SHA512
d6c19775a96dedbd40be96d5b3aa3fb0db3d52749e0d54667b38a2f677c94b630ab543457708a1c123776ec473e9f40f18eb4080703ee9adf08110c417dea136

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
348KB

MD5
a59f7fb8ac2dc166432a86eb8e2179ff

SHA1
9c8b24bda935e397e1c0cb33752331fe1f773b45

SHA256
82d315a2102a1bbd8c1533ea70f93982d2ad0fbbad3d48e9a4265c45353ceacc

SHA512
ff05149ca95d982ee44c820d8bc03e48d6230a7085291f0653398a410a16610038fbc336ec843db7020458fbe982762439990b348de050248758450b3ea263be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mcanrif.q31.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
76KB

MD5
a57d275fcac1be0b9aad189223a313df

SHA1
0762b222741fa30751dce16e7dae2bcd191adaea

SHA256
1c6d4e2a60849385c9b4cfbb1fc92032cb503497099208f62d7908e52b9b487b

SHA512
41d90ec2548654b86bba21d178bae55b538bc7acf7811b9615095e4719e52075096053427ff85428a51047f405e8d1e6a633b999655e296c9ac396fb2bba36a8

Download Submit
C:\Users\Admin\Desktop\jy\Dox Tool V3 Cracked.exe

Filesize
207KB

MD5
6c206cadf297a02c0af977c65637a166

SHA1
7d382b1e6cefd120f9d87f894e14088e18d01c73

SHA256
f4f78f44719af71a363bd50107840f53f8eebf3190505c10bac2cf7be3c29e59

SHA512
2672ae02fb6b768861f469556f9818fd84866d62122f243309b5f2d13c4c907b6555e968bfb4b10cd48188fe3b2182b15ee7f425ddd14835b483d0dfe721b515

Download Submit
C:\Users\Admin\Desktop\jy\data\Ionic.Zip.dll

Filesize
480KB

MD5
f6933bf7cee0fd6c80cdf207ff15a523

SHA1
039eeb1169e1defe387c7d4ca4021bce9d11786d

SHA256
17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89

SHA512
88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6

Download Submit
C:\Users\Admin\Desktop\jy\data\LICENCE.dat

Filesize
77KB

MD5
5180046f168dfd684b5bf268f5a0fa56

SHA1
ac8202ad5c94eb4d9e6227af92b5120e6d1b7ce7

SHA256
4139baa8beebcde4504c33bc88cf13b9ab9f32e4a054871ebeb82be6b84edc01

SHA512
04add8dc053c39a594e7889071b3fb9036fdc978b6f39f769c38b322e18a4ea6e05b6b66d97f0ac40c58f39120c791006a5b732da46ceba799e0db74afbed3e0

Download Submit
C:\Users\Admin\Desktop\jy\data\Launcher.exe

Filesize
53KB

MD5
c6d4c881112022eb30725978ecd7c6ec

SHA1
ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

SHA256
0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

SHA512
3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

Download Submit
C:\Users\Admin\Desktop\jy\data\doxsys.exe

Filesize
1.0MB

MD5
8f36caf603f3f2b192c5fd06a8e3c699

SHA1
44f387152ee1fb02a83ed0be5e942fd4a733e235

SHA256
0ca828c630091173cafd2663393888849459fbc9581d1fd062567d0afdf79a38

SHA512
9df012c7420a4f6224907a8ac1e3293985b30c9ff829ecc9cdeea56fdcaa1c46d8e131fdd9b525e6af092065a29401c11f24390ba30969e9f3ab7e60e094dcba

Download Submit
C:\Windows\IMF\Runtime Explorer.exe

Filesize
152KB

MD5
03f5e0141f4519f0c5ac26ce0b036a0f

SHA1
4f7a2a230e7a194a898cc9f2d563ac8777fe99c0

SHA256
78a408c628e33e3332645f480ee7ce01b5dc24fc96cf16ffa0868d43f3d421ef

SHA512
86a68f040654006e06b51c5714e0d7168d0d1bef7f3c39843632068104f773f771d21be4bc251d712f3e915cd1058f89ad31d9e3f3d9e7cf6da6785cbf22d8d7

Download Submit
C:\Windows\IMF\Secure System Shell.exe

Filesize
45KB

MD5
7d0c7359e5b2daa5665d01afdc98cc00

SHA1
c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

SHA256
f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

SHA512
a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

Download Submit
C:\Windows\IMF\Windows Services.exe

Filesize
46KB

MD5
ad0ce1302147fbdfecaec58480eb9cf9

SHA1
874efbc76e5f91bc1425a43ea19400340f98d42b

SHA256
2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

SHA512
adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

Download Submit
memory/424-225-0x0000000000FF0000-0x0000000001002000-memory.dmp

Filesize
72KB

Download
memory/860-262-0x0000000006E50000-0x0000000006EF4000-memory.dmp

Filesize
656KB

Download
memory/860-253-0x000000006FF20000-0x000000006FF6C000-memory.dmp

Filesize
304KB

Download
memory/860-265-0x0000000007160000-0x0000000007175000-memory.dmp

Filesize
84KB

Download
memory/860-263-0x0000000007110000-0x0000000007121000-memory.dmp

Filesize
68KB

Download
memory/860-252-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

Filesize
304KB

Download
memory/1832-69-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/1832-68-0x00000000052A0000-0x00000000052F6000-memory.dmp

Filesize
344KB

Download
memory/1832-65-0x0000000005620000-0x0000000005BC6000-memory.dmp

Filesize
5.6MB

Download
memory/1832-66-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/1832-64-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download
memory/1832-63-0x0000000000490000-0x00000000004CA000-memory.dmp

Filesize
232KB

Download
memory/1832-62-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/1832-67-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/1832-94-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/2340-118-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2464-221-0x000000001C6C0000-0x000000001C6C8000-memory.dmp

Filesize
32KB

Download
memory/2464-219-0x000000001BA90000-0x000000001BA98000-memory.dmp

Filesize
32KB

Download
memory/2464-217-0x000000001C500000-0x000000001C59C000-memory.dmp

Filesize
624KB

Download
memory/2464-216-0x000000001BF90000-0x000000001C45E000-memory.dmp

Filesize
4.8MB

Download
memory/2812-76-0x0000000006490000-0x000000000650E000-memory.dmp

Filesize
504KB

Download
memory/2812-72-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/2812-184-0x0000000006070000-0x00000000060E6000-memory.dmp

Filesize
472KB

Download
memory/2812-185-0x0000000006050000-0x000000000606E000-memory.dmp

Filesize
120KB

Download
memory/3460-145-0x00000000000A0000-0x00000000000CC000-memory.dmp

Filesize
176KB

Download
memory/3488-160-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

Filesize
120KB

Download
memory/3488-226-0x0000000007C60000-0x0000000007C6E000-memory.dmp

Filesize
56KB

Download
memory/3488-203-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

Filesize
40KB

Download
memory/3488-77-0x0000000005240000-0x0000000005276000-memory.dmp

Filesize
216KB

Download
memory/3488-214-0x0000000007CB0000-0x0000000007D46000-memory.dmp

Filesize
600KB

Download
memory/3488-215-0x0000000007C30000-0x0000000007C41000-memory.dmp

Filesize
68KB

Download
memory/3488-200-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/3488-161-0x00000000078F0000-0x0000000007994000-memory.dmp

Filesize
656KB

Download
memory/3488-78-0x0000000005970000-0x0000000005F9A000-memory.dmp

Filesize
6.2MB

Download
memory/3488-146-0x00000000076B0000-0x00000000076E4000-memory.dmp

Filesize
208KB

Download
memory/3488-147-0x000000006EB80000-0x000000006EBCC000-memory.dmp

Filesize
304KB

Download
memory/3488-79-0x0000000005FB0000-0x0000000005FD2000-memory.dmp

Filesize
136KB

Download
memory/3488-96-0x0000000006720000-0x000000000676C000-memory.dmp

Filesize
304KB

Download
memory/3488-201-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/3488-232-0x0000000007C70000-0x0000000007C85000-memory.dmp

Filesize
84KB

Download
memory/3488-80-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/3488-234-0x0000000007D70000-0x0000000007D8A000-memory.dmp

Filesize
104KB

Download
memory/3488-240-0x0000000007D60000-0x0000000007D68000-memory.dmp

Filesize
32KB

Download
memory/3488-95-0x00000000066C0000-0x00000000066DE000-memory.dmp

Filesize
120KB

Download
memory/3488-90-0x00000000061F0000-0x0000000006547000-memory.dmp

Filesize
3.3MB

Download
memory/3488-81-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/3672-202-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/4908-231-0x0000000006990000-0x00000000069CC000-memory.dmp

Filesize
240KB

Download
memory/4908-144-0x0000000000C10000-0x0000000000C6E000-memory.dmp

Filesize
376KB

Download
memory/4908-218-0x0000000006440000-0x0000000006452000-memory.dmp

Filesize
72KB

Download