quasar | 67edbefe621aabd00b18f98816b872a87abeb3334e24f535732d02915aa82058

Analysis

max time kernel
82s
max time network
83s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-01-2025 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrudaTweak.zip
Size

10.6MB
MD5

c83d23532d6dd591ffc0d6fd75597dd7
SHA1

06b3ad285f681700d5f9d43fed6a45e18368f7e8
SHA256

67edbefe621aabd00b18f98816b872a87abeb3334e24f535732d02915aa82058
SHA512

a0f49ce993f803200f493dbacc1bd9cb615fab63878ad80d00b77155cce2e48f9dcb706c4e3d2009ef47d7aedd9253da26a9ace83689718accf1dfdf3998f88b
SSDEEP

196608:7saahvSji7LYOSIlr3vTPzz3Uh33HUxxqM3PBOfo6cakJrdfLjPQbUINfkotWep:7z0SjkL/lT7jUhUxMM3PB5JrVAbVyotL

Score

10^/10

quasar prudabackend discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes

encryption_key
D82EC4913FC5B28DDFF5AC48635D190A9342C6BD
install_name
update.exe
log_directory
Logs
reconnect_delay
2500
startup_key
Runtime Broker.exe

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001d00000002ab58-109.dat	family_quasar
behavioral1/memory/1464-111-0x0000000000610000-0x0000000000934000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

pid	Process
4556	!PrudaTweak.exe
3916	crashpad_handler.exe
1464	Spotify.exe
700	update.exe

Loads dropped DLL 6 IoCs

pid	Process
4556	!PrudaTweak.exe
4556	!PrudaTweak.exe
4556	!PrudaTweak.exe
4556	!PrudaTweak.exe
4556	!PrudaTweak.exe
4556	!PrudaTweak.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1480	powershell.exe
3428	powershell.exe
3220	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\update.exe	Spotify.exe
File opened for modification	C:\Windows\system32\update.exe	update.exe
File created	C:\Windows\system32\update.exe	Spotify.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2924	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3696	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2924	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3748	schtasks.exe
3904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4536	7zFM.exe
4536	7zFM.exe
4556	!PrudaTweak.exe
4556	!PrudaTweak.exe
1480	powershell.exe
1480	powershell.exe
3428	powershell.exe
3428	powershell.exe
3220	powershell.exe
3220	powershell.exe
4556	!PrudaTweak.exe
4556	!PrudaTweak.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4536	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	4536	7zFM.exe
Token: 35	4536	7zFM.exe
Token: SeSecurityPrivilege	4536	7zFM.exe
Token: SeSecurityPrivilege	4536	7zFM.exe
Token: SeDebugPrivilege	4556	!PrudaTweak.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	1464	Spotify.exe
Token: SeDebugPrivilege	700	update.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4536	7zFM.exe
4536	7zFM.exe
4536	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
700	update.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3696	4536	7zFM.exe	79
PID 4536 wrote to memory of 3696	4536	7zFM.exe	79
PID 4556 wrote to memory of 3916	4556	!PrudaTweak.exe	84
PID 4556 wrote to memory of 3916	4556	!PrudaTweak.exe	84
PID 4556 wrote to memory of 1480	4556	!PrudaTweak.exe	86
PID 4556 wrote to memory of 1480	4556	!PrudaTweak.exe	86
PID 4556 wrote to memory of 3428	4556	!PrudaTweak.exe	88
PID 4556 wrote to memory of 3428	4556	!PrudaTweak.exe	88
PID 4556 wrote to memory of 3220	4556	!PrudaTweak.exe	90
PID 4556 wrote to memory of 3220	4556	!PrudaTweak.exe	90
PID 4556 wrote to memory of 1464	4556	!PrudaTweak.exe	92
PID 4556 wrote to memory of 1464	4556	!PrudaTweak.exe	92
PID 1464 wrote to memory of 3748	1464	Spotify.exe	93
PID 1464 wrote to memory of 3748	1464	Spotify.exe	93
PID 1464 wrote to memory of 700	1464	Spotify.exe	95
PID 1464 wrote to memory of 700	1464	Spotify.exe	95
PID 700 wrote to memory of 3904	700	update.exe	96
PID 700 wrote to memory of 3904	700	update.exe	96
PID 700 wrote to memory of 1616	700	update.exe	99
PID 700 wrote to memory of 1616	700	update.exe	99
PID 700 wrote to memory of 3512	700	update.exe	101
PID 700 wrote to memory of 3512	700	update.exe	101
PID 3512 wrote to memory of 3300	3512	cmd.exe	103
PID 3512 wrote to memory of 3300	3512	cmd.exe	103
PID 3512 wrote to memory of 2924	3512	cmd.exe	104
PID 3512 wrote to memory of 2924	3512	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PrudaTweak.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8B1E9447\ReadMe.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3924

C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe
"C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe
  C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe --no-rate-limit --database=C:\Users\Admin\Desktop\PrudaTweak\cache --metrics-dir=C:\Users\Admin\Desktop\PrudaTweak\cache --url=https://sentry.pruda.de:443/api/2/minidump/?sentry_client=sentry.native/0.7.16&sentry_key=ae11f7dd565c2b26983cff3e1a33de87 --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\c700acf6-9a34-4a06-dc6b-e04dbec79153.run\__sentry-event --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\c700acf6-9a34-4a06-dc6b-e04dbec79153.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\c700acf6-9a34-4a06-dc6b-e04dbec79153.run\__sentry-breadcrumb2 --initial-client-data=0x5c4,0x5b8,0x5c8,0x5bc,0x5cc,0x7ffd1f543b70,0x7ffd1f543b88,0x7ffd1f543ba0
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command "Set-MpPreference -DisableBlockAtFirstSeen $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command "Set-MpPreference -DisableIOAVProtection $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\Users\Admin\AppData\Local\Temp\Spotify.exe
  "C:\Users\Admin\AppData\Local\Temp\Spotify.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3748
- - C:\Windows\system32\update.exe
    "C:\Windows\system32\update.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3904
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /delete /tn "Runtime Broker.exe" /f
      4⤵
      PID:1616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKEN2KX21EYO.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3300
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aed49afb1018d9ac79c6f2994e8e712c

SHA1
25e6a7ef96854eb38c2b96f8f104c1817af3aaa4

SHA256
cb7a143f1ab8dd4bc8424a63d8b18d7c3bbb68f29a79d01eaea36e2a0fb42a96

SHA512
1b0bb96f151a2e471072719f15d01c74108f90fc44533a6b1384442d4549f84a3d0015e010bb3e136abe7d5b02651923b75bfd758ea41bdb7e28e3787dea4f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8B14FD47\PrudaTweak\cache\4ad14509-b7df-46ad-9762-2eb94b7bb35b.run\__sentry-event

Filesize
305B

MD5
4d3bf9c62481386d99e2a5a0828341d2

SHA1
f359b6c105b8b1ece4569075a5781eecf61ecd21

SHA256
7407a8986ef45d2c6d7438d5d2d2664ab4089d23b6a02dc786987b375a07833a

SHA512
cf250facbff061775678b7be429763a6ca818587824e622341f986acd9e4e8f81dd82e49fb5d75759c5b186c327f7f89854c54f204dc6eb1af5eef5201537993

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8B1E9447\ReadMe.txt

Filesize
54B

MD5
499de9d9188c430a05577a37ca55eb25

SHA1
38e94adbe669972e47ce5c8f9f7c1856b736325e

SHA256
4097e09dc2992caddd40ed08a80f6bd96ee15c9077cc1f81e82062b755341df0

SHA512
8926b484501ce4dd77d89960535e2bd1520f319a655efaecd565f18baedc4d80aa7f53c3b0429b4afcc540d713a6d2f317accfebab6be7d23a37d05aa0fcd6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spotify.exe

Filesize
3.1MB

MD5
c965446805dc5c40e1bffe859716bea7

SHA1
7d6b257f8f830f512552bd11b36bb1fc88a1e966

SHA256
874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

SHA512
157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1xaagll.jhe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKEN2KX21EYO.bat

Filesize
193B

MD5
a2c2bd706f9768c4c41dbc95929fd63e

SHA1
d02ca4efd367e091f7c1028885213b3aa9897a73

SHA256
2204ea1231d505f9aa5b6a60340ae2a8e7094530a768a69fb4a3466bf7200a6f

SHA512
78f81c2165538bfde03eeb6fd1eab3b5fd288d5406f2d432fe67b128e7223cc901bf0eff68b4a6b8af143a3bc3c680cd133868f00350654817faa82e8994b591

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe

Filesize
135KB

MD5
b919c1037e70d3db56f5a5ddb67d9e86

SHA1
e96772ca1fe8e044c3a03b46a9535c67c063bec0

SHA256
86c4260b065071bb0e89c3b6ea67a1065a63dd23cf03ad4e27cdcbeaf9748398

SHA512
502a5252a1ae87f93e272689da3fd206538ffde5e01aa281b3ee3905c273af79cfe9aa3759e675197f7ff6c166f898307789263429cdf34b7402b07a99511b04

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\Sentry.dll

Filesize
547KB

MD5
f634f84cf9f0244b3c62b04b21c69bbf

SHA1
e0a09946aad5cf6d402b617fc1679b139ddcb79f

SHA256
1e28984f8e08bcf2c902b9621a3b9646c695f12cd5b059b820bdbd735f706651

SHA512
50a15ef80f5ec00169a214cc8b26c8a5a81209760c48a6108d16b0ccc2a63fa8f0a22f3d8db235a74abfc4db65fc3e4a4eb8b46e06342c183c2c1f5b52b42fb3

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\application.deps.json

Filesize
2KB

MD5
81dba0ada628b279fdd419ae8b6cdb51

SHA1
856a511842dca4955c6b99f2154ac71c1d3053cb

SHA256
38c88f3aec2b0cbc7136020ec13eba93225e96cdca13d2f6941398900a905178

SHA512
2545810e4d8f96ee3e54608a7ffc0e3fa33f8bbdfd7ca781d63fad287a965ec6765bbb61cac25d6c9ee8f8e8670b5736b4b9671d0aed677f21615186a59ac87f

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\application.dll

Filesize
122KB

MD5
69c33683d8a85555a7d6c46ae03f5a9b

SHA1
52d0dbf8509944a14de7a1628e87868a13323828

SHA256
fa79404124b3bee4aa13cb36f0fbbb886daf68f083ad4f59e1825645ce1b2194

SHA512
e67c988c46d8c69293d6aa6f78fac724933769bf9c810e254883543fd60fa32210d01b0733f2d886126c2c905889b3b8e2cde7bdc59f60c1e0862405d8081997

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\application.runtimeconfig.json

Filesize
515B

MD5
e0f6f18f9b152bc2d8c710b0214805d6

SHA1
ae3d39e59fd6edc05792a76cdf4f02a637f52e29

SHA256
89ad1ea5c9c20b6b266547ef27c0ae3840cab5642d3c2aedf06b7026245671dd

SHA512
80a6a9ff925bd1ba6f57fa1f7dd40de962001af97f8c2477d0b502728e23b6f412c74134e33efb36ccfeb08bbbeb678beb7e2e52fad24a763967eba8cf09b29e

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\cache\4ad14509-b7df-46ad-9762-2eb94b7bb35b.run\session.json

Filesize
205B

MD5
a9a8c0495255b0d780a48beeff331553

SHA1
73d7a0d2e5a607f2cb8f4b3e05c9303dafa577fe

SHA256
3a3b4b38fcdaa295a36a57636ec96cd84afa40a32fdd5a1b39720b56cbbd4064

SHA512
e98e09d71b8f00783d0a1d5bc3967345c0f4671b5dd68781bee34e2cddad59790649aa8649724aac1393f0e8569ab714b494fefe4a13e27fdc3c3dcc462a253b

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\cache\8b8eaff1-9501-4d58-3a5e-90f8a6f28619.run\session.json

Filesize
205B

MD5
06df072958cdbd820f13b70130c8f8a0

SHA1
94c378762ff9a19a503160bd05814a8fc3ef5cd9

SHA256
98902d8d2f18e29169cb60d5ba46974b79d841dcd0d0c243f47d7c6d663a9254

SHA512
6212959e85dbc965de7406f2a596bdb1746efead9bec35fb861f57c75e33de6c3006c6798cc09583335e1705c3771ec45621a4c84f059803823cbca8fed924a5

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\cache\settings.dat

Filesize
40B

MD5
f0695e361eda3407c992d4042c98bd96

SHA1
4750f5d01ec5434f4852e06f1a0d6867c8eaa700

SHA256
31bc96d2a96b589e9d3fbae934e22112f847415081e54ff60cf21d2c7a0f3797

SHA512
19058ec366abad9414c26ad0acc5a22a870ca4e75aa8f60626a41e3bb8814a27be5d1b37e80b5f4e608b1c9fe991584d2430dba3ebb090b75a12cb63953cdecb

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\core.dll

Filesize
7.8MB

MD5
2812dc85be549cb7ac9f2af2fd33bf23

SHA1
397162303b15457cd883c20da2a51c08fd47414b

SHA256
c0c06a8ad06ca18771acb39d53eeb4222606d817c0fd51b31f58f9bb11c08610

SHA512
0720cd21fb2f52f7b64785f1083ef8ca9a2cc0e1bfc7ae3226145a02e21befd001e4b98aaed04f2535c9d4f3c6d7f11d814f2a154836a0a78f81277b5650381c

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe

Filesize
2.3MB

MD5
3334755210b904abcb67d187770e8cbf

SHA1
27d22593374bb6611ff54562b18422ef515cf8b3

SHA256
c3f4c395b7ab3caa33dfc30a05a1e0ffba81d05ecbdc6eb9f2c901421e31c8ff

SHA512
9d8a3eadd27733dae3025542c4ac46eb3fe6923770c41b178f96f99751cb8809b3965ea1b2fd1585be5af3803e3046f47337d3fb2aa6130fd51b018549775c52

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\libcrypto-3-x64.dll

Filesize
4.5MB

MD5
5a6752a89ddc99da064d5f7ddad70888

SHA1
c0aeefaa763c50ed4403f9d881d75aa1304ae81d

SHA256
523708e61d7509314047baf84d8d23a2c9dea59fa962ac58eec85c01c9877408

SHA512
4df9556a06c883c5e4dc8b37acc5be54f62cc471d482c19af54d52f160e00be98ce07bf54650cea881f9ddcf65f4c53b7f6e91aba178f64c3bff5201154b914f

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\libssl-3-x64.dll

Filesize
879KB

MD5
4a8dde272f6015afe307853acd2b21e1

SHA1
7b5c07d101e4aab1ad246f4cd1c55e497b02ee8b

SHA256
befc04fbac884fd3bbe09131efa7f6dd6713a732e31f839e6145680a41827e0f

SHA512
ff45450f195d8440fb99fbb6bcffbf1c08201c4a9b146a703bc2474d31adfbb98444657acf4d9c0be73072dba8353026d26f3dbd4b53d044099fc4c84b2c9329

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\runtimeconfig.json

Filesize
170B

MD5
351f746426eecd5f6dab7a8549706845

SHA1
25fa3a53604551783aaab0f7a47936c9b1368653

SHA256
8dc2877edafe9f042088b9ba55b5193177dc4569b36bfbd0f9141e4489fc6e94

SHA512
ce310761a102e7f0a17ddd4c07f668e746c304a7c6ea7b02e94eea3e129eff5ac49384da9cd5ee046ba150f4759afe3834b16f8a5111f037c288c464735496bd

Download Submit
memory/700-122-0x000000001BEB0000-0x000000001BEC2000-memory.dmp

Filesize
72KB

Download
memory/700-123-0x000000001CB20000-0x000000001CB5C000-memory.dmp

Filesize
240KB

Download
memory/700-118-0x000000001BE00000-0x000000001BE50000-memory.dmp

Filesize
320KB

Download
memory/700-119-0x000000001BF10000-0x000000001BFC2000-memory.dmp

Filesize
712KB

Download
memory/1464-111-0x0000000000610000-0x0000000000934000-memory.dmp

Filesize
3.1MB

Download
memory/1480-75-0x000001E961380000-0x000001E9613A2000-memory.dmp

Filesize
136KB

Download
memory/4556-57-0x00007FFD455D0000-0x00007FFD455D2000-memory.dmp

Filesize
8KB

Download
memory/4556-60-0x00007FFD1F460000-0x00007FFD202B2000-memory.dmp

Filesize
14.3MB

Download