quasar | 6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

Resubmissions

09/02/2025, 17:26

250209-vzvbzaxpck 10

09/02/2025, 17:22

09/02/2025, 16:34

09/02/2025, 16:32

27/01/2025, 22:33

27/01/2025, 22:28

27/01/2025, 22:21

Analysis

max time kernel
249s
max time network
250s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe.zip
Size

1KB
MD5

0206983f12db26f622bbe73b165f126f
SHA1

e71f9fc602245a337f728e27917b0b716d3828f9
SHA256

6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128
SHA512

296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc

Score

10^/10

quasar vidar office04 powerstealer prudabackend defense_evasion discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes

encryption_key
D82EC4913FC5B28DDFF5AC48635D190A9342C6BD
install_name
update.exe
log_directory
Logs
reconnect_delay
2500
startup_key
Runtime Broker.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

powerstealer

192.168.56.1:4782

Mutex

6760d0e9-9df9-4aba-89be-4e5ce3e92cc8

Attributes

encryption_key
057FCAF700E62ACFECC7338C474084AF9B47ABEB
install_name
powerstealer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

vidar

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

100.108.37.105:4444

127.0.0.1:4444

Mutex

95a85978-c10d-4a09-935b-c02a2a18a609

Attributes

encryption_key
6FDAA03D192B9C03BF83E41A8BBF78996D321E27
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0003000000000747-34.dat	family_vidar_v7
behavioral1/memory/3048-38-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/files/0x0003000000011941-57.dat	family_vidar_v7
behavioral1/memory/3312-58-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/3048-81-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/3312-115-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0003000000000743-7.dat	family_quasar
behavioral1/memory/4452-16-0x0000000000380000-0x00000000006A4000-memory.dmp	family_quasar
behavioral1/files/0x0003000000000745-21.dat	family_quasar
behavioral1/memory/2312-28-0x00000000001D0000-0x00000000004FA000-memory.dmp	family_quasar
behavioral1/files/0x000400000001da73-65.dat	family_quasar
behavioral1/memory/3864-72-0x0000000000BD0000-0x0000000000EF4000-memory.dmp	family_quasar
behavioral1/files/0x000400000001da7b-86.dat	family_quasar
behavioral1/memory/2620-102-0x0000000000E10000-0x0000000001134000-memory.dmp	family_quasar

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 5 IoCs

flow	pid	Process
59	1636	New Text Document.exe
59	1636	New Text Document.exe
71	1636	New Text Document.exe
55	1636	New Text Document.exe
65	1636	New Text Document.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4560	netsh.exe
3840	netsh.exe
1224	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Server.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe	server.exe

Executes dropped EXE 11 IoCs

pid	Process
4452	updater.exe
2312	Discord.exe
3048	noyjhoadw.exe
2144	update.exe
1936	powerstealer.exe
3312	build.exe
3864	fag3.exe
2620	fag.exe
3604	Server.exe
1764	server.exe
5080	StUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
59	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\update.exe	updater.exe
File opened for modification	C:\Windows\system32\update.exe	updater.exe
File opened for modification	C:\Windows\system32\update.exe	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noyjhoadw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3772	schtasks.exe
2136	schtasks.exe
760	schtasks.exe
4004	schtasks.exe
780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe
1764	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1764	server.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	New Text Document.exe
Token: SeDebugPrivilege	4452	updater.exe
Token: SeDebugPrivilege	2312	Discord.exe
Token: SeDebugPrivilege	2144	update.exe
Token: SeDebugPrivilege	1936	powerstealer.exe
Token: SeDebugPrivilege	3864	fag3.exe
Token: SeDebugPrivilege	2620	fag.exe
Token: SeDebugPrivilege	1764	server.exe
Token: 33	1764	server.exe
Token: SeIncBasePriorityPrivilege	1764	server.exe
Token: 33	1764	server.exe
Token: SeIncBasePriorityPrivilege	1764	server.exe
Token: 33	1764	server.exe
Token: SeIncBasePriorityPrivilege	1764	server.exe
Token: 33	1764	server.exe
Token: SeIncBasePriorityPrivilege	1764	server.exe
Token: 33	1764	server.exe
Token: SeIncBasePriorityPrivilege	1764	server.exe
Token: SeDebugPrivilege	392	New Text Document.exe
Token: 33	1764	server.exe
Token: SeIncBasePriorityPrivilege	1764	server.exe
Token: 33	1764	server.exe
Token: SeIncBasePriorityPrivilege	1764	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3864	fag3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3864	fag3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2144	update.exe
1936	powerstealer.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 4452	1636	New Text Document.exe	102
PID 1636 wrote to memory of 4452	1636	New Text Document.exe	102
PID 1636 wrote to memory of 2312	1636	New Text Document.exe	103
PID 1636 wrote to memory of 2312	1636	New Text Document.exe	103
PID 4452 wrote to memory of 760	4452	updater.exe	104
PID 4452 wrote to memory of 760	4452	updater.exe	104
PID 1636 wrote to memory of 3048	1636	New Text Document.exe	106
PID 1636 wrote to memory of 3048	1636	New Text Document.exe	106
PID 1636 wrote to memory of 3048	1636	New Text Document.exe	106
PID 4452 wrote to memory of 2144	4452	updater.exe	107
PID 4452 wrote to memory of 2144	4452	updater.exe	107
PID 2312 wrote to memory of 4004	2312	Discord.exe	108
PID 2312 wrote to memory of 4004	2312	Discord.exe	108
PID 2312 wrote to memory of 1936	2312	Discord.exe	110
PID 2312 wrote to memory of 1936	2312	Discord.exe	110
PID 2144 wrote to memory of 780	2144	update.exe	111
PID 2144 wrote to memory of 780	2144	update.exe	111
PID 1636 wrote to memory of 3312	1636	New Text Document.exe	113
PID 1636 wrote to memory of 3312	1636	New Text Document.exe	113
PID 1636 wrote to memory of 3312	1636	New Text Document.exe	113
PID 1936 wrote to memory of 3772	1936	powerstealer.exe	114
PID 1936 wrote to memory of 3772	1936	powerstealer.exe	114
PID 1636 wrote to memory of 3864	1636	New Text Document.exe	116
PID 1636 wrote to memory of 3864	1636	New Text Document.exe	116
PID 1636 wrote to memory of 2620	1636	New Text Document.exe	118
PID 1636 wrote to memory of 2620	1636	New Text Document.exe	118
PID 1636 wrote to memory of 3604	1636	New Text Document.exe	119
PID 1636 wrote to memory of 3604	1636	New Text Document.exe	119
PID 1636 wrote to memory of 3604	1636	New Text Document.exe	119
PID 3604 wrote to memory of 1764	3604	Server.exe	120
PID 3604 wrote to memory of 1764	3604	Server.exe	120
PID 3604 wrote to memory of 1764	3604	Server.exe	120
PID 1764 wrote to memory of 4560	1764	server.exe	121
PID 1764 wrote to memory of 4560	1764	server.exe	121
PID 1764 wrote to memory of 4560	1764	server.exe	121
PID 1764 wrote to memory of 3840	1764	server.exe	123
PID 1764 wrote to memory of 3840	1764	server.exe	123
PID 1764 wrote to memory of 3840	1764	server.exe	123
PID 1764 wrote to memory of 1224	1764	server.exe	124
PID 1764 wrote to memory of 1224	1764	server.exe	124
PID 1764 wrote to memory of 1224	1764	server.exe	124
PID 1764 wrote to memory of 2136	1764	server.exe	126
PID 1764 wrote to memory of 2136	1764	server.exe	126
PID 1764 wrote to memory of 2136	1764	server.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe.zip"
1⤵
PID:3492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:916

C:\Users\Admin\Desktop\New Text Document.exe
"C:\Users\Admin\Desktop\New Text Document.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\Desktop\a\updater.exe
  "C:\Users\Admin\Desktop\a\updater.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:760
- - C:\Windows\system32\update.exe
    "C:\Windows\system32\update.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:780
- C:\Users\Admin\Desktop\a\Discord.exe
  "C:\Users\Admin\Desktop\a\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4004
- - C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3772
- C:\Users\Admin\Desktop\a\noyjhoadw.exe
  "C:\Users\Admin\Desktop\a\noyjhoadw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Users\Admin\Desktop\a\build.exe
  "C:\Users\Admin\Desktop\a\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3312
- C:\Users\Admin\Desktop\a\fag3.exe
  "C:\Users\Admin\Desktop\a\fag3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3864
- C:\Users\Admin\Desktop\a\fag.exe
  "C:\Users\Admin\Desktop\a\fag.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Users\Admin\Desktop\a\Server.exe
  "C:\Users\Admin\Desktop\a\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4560
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3840
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1224
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2136

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080

C:\Users\Admin\Desktop\New Text Document.exe
"C:\Users\Admin\Desktop\New Text Document.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BB6ABD5C8B98473A20C12EFFB847B7E2

Filesize
345B

MD5
7edbce9b8d730aab97bad5fb0fd94c80

SHA1
7201189c4ed6f6c0395c6e72ab100633b8257a0c

SHA256
c8b0d844bd3624524a1f4682797bf3db7f96057707c038345f925abdcb719fae

SHA512
6dddab7ae53df794df1613befa618a5b76d00d170074741df7d6cda43b0dc47051b50673ba5454a2a30ce5be6f81f21f0a3d973e2a819c8f18d60394a23c26a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
ac8176c2d631174edf859addea652168

SHA1
42ae520152bc4a9ad24ec1d2073ca9a3a10c945d

SHA256
92b7e1a674a396cf0ee7625eb4c77bbc6e909b3778745358fe999dcfdf0a8897

SHA512
483a1110d55b713c5b372d9b15ec27dfab15fe329e421c567965d6d30bf9d9cc02e563b33effab41e6a8e534d7377f5cb19ff52086f6a2a45bd9b2970a2a9a51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BB6ABD5C8B98473A20C12EFFB847B7E2

Filesize
540B

MD5
7ab7a19bef50e77537e546f93b6c2285

SHA1
6ab63dd6357ac3c9ba529f4caaa57e43bd4c21a5

SHA256
853db65a5637fcd4289599469c98faae053be670de505ba5eb6647f997d071db

SHA512
a9e63f1f9115a34b7976d3008e6cecee8d2e6a37afcaebf1347140534bccdf1678f7358b07174d024070c7f63301353d385b217e74706f002c0020d74fd3c98c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\New Text Document.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
c60feebd511c87b86dea130692995a0f

SHA1
d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a

SHA256
632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511

SHA512
bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c

Download Submit
C:\Users\Admin\Desktop\a\Discord.exe

Filesize
3.1MB

MD5
bedd5e5f44b78c79f93e29dc184cfa3d

SHA1
11e7e692b9a6b475f8561f283b2dd59c3cd19bfd

SHA256
e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c

SHA512
3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

Download Submit
C:\Users\Admin\Desktop\a\Server.exe

Filesize
93KB

MD5
a9ba2416df448c5f3b36581ecfa4cd31

SHA1
105592c84c83cbf4e6f7b6978ecb6d37c99440b7

SHA256
b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf

SHA512
456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3

Download Submit
C:\Users\Admin\Desktop\a\build.exe

Filesize
119KB

MD5
08388bb4894c71e7b1be4bad966c3824

SHA1
7437ac98f08fc41283b900aa6fb0ae350d59dd6c

SHA256
986a98dc33a925fa232e1e5311807c7681cad9e0f07957d81e4f2f8257503f9c

SHA512
2adf5154e7dca7de1fcf12560c97f1b74e66fb3c5074d8fa9d29dd9da91a1314f9fc18270808c12364c4941a6a2346109824bd4c625df905f9be84af393934b3

Download Submit
C:\Users\Admin\Desktop\a\fag.exe

Filesize
3.1MB

MD5
814d032273cdbdc32dc6a232c108129f

SHA1
bd4b3bea0d543dd287fd952a5ae053f649f11fe4

SHA256
95e8911b88b45f18c2f415df69166ea5dadc1af3ee4ed79d42ca31dc812c4043

SHA512
1aca47dc3e839f192a0c51c396f1596f03a843c88883a6d4be02ce55647585d6a98e8ed215872661dbe412d9095eabf334fec5545a4a1dcf75a3ebe48dd2cbbf

Download Submit
C:\Users\Admin\Desktop\a\fag3.exe

Filesize
3.1MB

MD5
6b6cd0ace200ae15a3c40568bd516739

SHA1
c17c2dae1f9d4a3268f51ba9acf2095171408621

SHA256
9746060c7d36d8675945405b0c1928fb6bbcfe1bbac0f4c3247bd245ac6c4271

SHA512
4330446f193832bc3cdba0461df477ed7b27af44cce83daa7bf4c46afacee37b8e5ce7191573b23604efbeef66b2ed763adc156303e3e3927e1fc315ba22b1cd

Download Submit
C:\Users\Admin\Desktop\a\noyjhoadw.exe

Filesize
119KB

MD5
65cc23e7237f3cff2d206a269793772e

SHA1
fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd

SHA256
a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb

SHA512
7596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613

Download Submit
C:\Users\Admin\Desktop\a\updater.exe

Filesize
3.1MB

MD5
c965446805dc5c40e1bffe859716bea7

SHA1
7d6b257f8f830f512552bd11b36bb1fc88a1e966

SHA256
874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

SHA512
157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b

Download Submit
memory/1636-2-0x00007FFE0A730000-0x00007FFE0B1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1636-1-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1636-0-0x00007FFE0A733000-0x00007FFE0A735000-memory.dmp

Filesize
8KB

Download
memory/1636-105-0x00007FFE0A730000-0x00007FFE0B1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1636-138-0x00007FFE0A730000-0x00007FFE0B1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1636-99-0x00007FFE0A733000-0x00007FFE0A735000-memory.dmp

Filesize
8KB

Download
memory/2144-77-0x000000001C3F0000-0x000000001C42C000-memory.dmp

Filesize
240KB

Download
memory/2144-76-0x000000001C390000-0x000000001C3A2000-memory.dmp

Filesize
72KB

Download
memory/2144-60-0x000000001C430000-0x000000001C4E2000-memory.dmp

Filesize
712KB

Download
memory/2144-59-0x000000001C320000-0x000000001C370000-memory.dmp

Filesize
320KB

Download
memory/2144-127-0x000000001C930000-0x000000001CA32000-memory.dmp

Filesize
1.0MB

Download
memory/2312-28-0x00000000001D0000-0x00000000004FA000-memory.dmp

Filesize
3.2MB

Download
memory/2620-102-0x0000000000E10000-0x0000000001134000-memory.dmp

Filesize
3.1MB

Download
memory/3048-81-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3048-38-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-115-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3864-72-0x0000000000BD0000-0x0000000000EF4000-memory.dmp

Filesize
3.1MB

Download
memory/4452-16-0x0000000000380000-0x00000000006A4000-memory.dmp

Filesize
3.1MB

Download