Malware Analysis Report

2025-06-16 05:32

Sample ID 240314-kvtvjahh65
Target c803b24286b85e84999728e62074f29a
SHA256 caeadc9fe15c86a04c0cbc13445cf555b14ad95b5d3a4104d62e72fdd371cdb7
Tags
quasar rat2000 persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

caeadc9fe15c86a04c0cbc13445cf555b14ad95b5d3a4104d62e72fdd371cdb7

Threat Level: Known bad

The file c803b24286b85e84999728e62074f29a was found to be: Known bad.

Malicious Activity Summary

quasar rat2000 persistence spyware trojan

Quasar RAT

Quasar payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 08:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 08:55

Reported

2024-03-14 08:59

Platform

win7-20240221-en

Max time kernel

172s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup = "\"C:\\Windows\\SysWOW64\\SubDir\\Client.exe\"" C:\Windows\SysWOW64\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.exe\"" C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\SubDir\Client.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2500 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2500 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2500 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2464 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 2464 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 2464 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 2464 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 1972 wrote to memory of 1496 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 1496 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 1496 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 1496 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 2752 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 1972 wrote to memory of 2752 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 1972 wrote to memory of 2752 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 1972 wrote to memory of 2752 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 1972 wrote to memory of 2904 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 2904 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 2904 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 1972 wrote to memory of 2904 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe

"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"

C:\Users\Admin\AppData\Local\Temp\cmd.exe

"C:\Users\Admin\AppData\Local\Temp\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cmd.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0WRZ4k44txBc.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1492

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp

Files

memory/2500-0-0x0000000000830000-0x00000000008B0000-memory.dmp

memory/2500-1-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

memory/2500-2-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/2500-3-0x000000001B260000-0x000000001B2E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cmd.exe

MD5 efb08c8abd228dc2c608b4b2ae81f8e5
SHA1 4c132ee66fb7ab5e26989f07d72fbc81d4480f41
SHA256 bda07aecc578ff4d3f853070643e8cda8f90c3ecbd73132bc75ee17f70b84863
SHA512 b3f8fa4979321dc1cf0032f36cb37c17a63e396fa2f70bd076eff8d32974c9e1b7a0f3ecc6b8b788c56d3cca131dfd3f5e6b938ceadab0cfa1a3d97e941fd962

memory/2500-10-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

memory/2464-11-0x0000000000D10000-0x0000000000D6E000-memory.dmp

memory/2464-12-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2500-13-0x000000001B260000-0x000000001B2E0000-memory.dmp

memory/2464-14-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2500-15-0x000000001B260000-0x000000001B2E0000-memory.dmp

memory/2464-17-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2464-18-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2464-24-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/1972-25-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/1972-26-0x0000000000E40000-0x0000000000E9E000-memory.dmp

memory/1972-27-0x0000000000B00000-0x0000000000B40000-memory.dmp

memory/1972-28-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/1972-29-0x0000000000B00000-0x0000000000B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0WRZ4k44txBc.bat

MD5 8b40d57aec119a37c045dd2d4eabc66e
SHA1 49c08719cf7f2e8ae9ebe3c1beb73dfaf17c11d1
SHA256 8d9c644b15f78f3b61738a3a8deaf38f7eeccff37eee0bb16394996167af0d68
SHA512 6317b618950c8588b1887f50de3a69939a51eceb8b8748aa70f6cec1365b8b7e88cd94b7fd49e7e5c9f98225d31b08dbab7a1c58b61bbd118b3671de4897fae8

memory/2752-40-0x0000000000E30000-0x0000000000E8E000-memory.dmp

memory/2752-41-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2752-42-0x0000000004A20000-0x0000000004A60000-memory.dmp

memory/2752-48-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/668-49-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/668-50-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1972-51-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/668-52-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/668-53-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 08:55

Reported

2024-03-14 08:58

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"

Signatures

Quasar RAT

trojan spyware quasar
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{48919F8E-078B-459A-BC24-C1286632461B} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2636 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2636 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2568 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 2568 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 2568 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 2272 wrote to memory of 2220 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2220 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2220 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 3156 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 3156 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 3156 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3156 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3156 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3156 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3156 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3156 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3156 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 592 wrote to memory of 2168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 2168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 592 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe

"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"

C:\Users\Admin\AppData\Local\Temp\cmd.exe

"C:\Users\Admin\AppData\Local\Temp\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cmd.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5yvfqnmlRxXn.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2272 -ip 2272

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8778d46f8,0x7ff8778d4708,0x7ff8778d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5024 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8cIPnToldDNa.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5492 -ip 5492

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 2200

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BdLzpVKfjQSG.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3036 -ip 3036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 2200

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGKuU6yK0ylt.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5352 -ip 5352

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 2208

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t5LkbtXG4uA3.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5516 -ip 5516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 2204

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1i1ABXMmhrSm.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3472 -ip 3472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 2204

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5792 /prefetch:8

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CXQ19QGPScq9.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3432 -ip 3432

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1772

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lTQbEIcNTLEL.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2220

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQjLNgQBcDQU.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2308 -ip 2308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 2196

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2zrNovLba7ao.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1976 -ip 1976

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 2216

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5052 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\chbkGAlgEntu.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 2240

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3763272749212379622,7474944179158077676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkeojmxt2RKa.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4296 -ip 4296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 2188

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.135.221.88.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
GB 92.123.128.152:443 www.bing.com tcp
GB 92.123.128.152:443 www.bing.com tcp
US 8.8.8.8:53 152.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 92.123.128.176:443 th.bing.com tcp
GB 92.123.128.195:443 r.bing.com tcp
GB 92.123.128.195:443 r.bing.com tcp
GB 92.123.128.176:443 th.bing.com tcp
US 8.8.8.8:53 176.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 195.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.134:443 login.microsoftonline.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 204.79.197.200:443 www2.bing.com tcp
GB 92.123.128.176:443 th.bing.com tcp
US 8.8.8.8:53 bing.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 synapsex.co udp
US 104.21.70.188:443 synapsex.co tcp
US 104.21.70.188:443 synapsex.co tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 188.70.21.104.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 42.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 csi.gstatic.com udp
US 216.239.32.3:443 csi.gstatic.com tcp
US 216.239.32.3:443 csi.gstatic.com udp
US 8.8.8.8:53 3.32.239.216.in-addr.arpa udp
NL 142.251.36.34:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 40.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
NL 142.250.179.129:443 tpc.googlesyndication.com tcp
NL 142.250.179.129:443 tpc.googlesyndication.com tcp
NL 142.250.179.129:443 tpc.googlesyndication.com tcp
NL 142.250.179.129:443 tpc.googlesyndication.com tcp
NL 142.250.179.129:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 129.179.250.142.in-addr.arpa udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 3.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
NL 142.250.179.130:443 securepubads.g.doubleclick.net tcp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
NL 142.250.179.129:443 tpc.googlesyndication.com udp
NL 142.250.179.196:443 www.google.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 26.134.221.88.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 cdn1.synapsecdn.to udp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
GB 96.17.178.211:80 tcp

Files

memory/2636-0-0x0000000000170000-0x00000000001F0000-memory.dmp

memory/2636-1-0x00007FF880C80000-0x00007FF881741000-memory.dmp

memory/2636-2-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/2636-3-0x000000001AE70000-0x000000001AE80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cmd.exe

MD5 efb08c8abd228dc2c608b4b2ae81f8e5
SHA1 4c132ee66fb7ab5e26989f07d72fbc81d4480f41
SHA256 bda07aecc578ff4d3f853070643e8cda8f90c3ecbd73132bc75ee17f70b84863
SHA512 b3f8fa4979321dc1cf0032f36cb37c17a63e396fa2f70bd076eff8d32974c9e1b7a0f3ecc6b8b788c56d3cca131dfd3f5e6b938ceadab0cfa1a3d97e941fd962

memory/2568-16-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/2568-15-0x0000000000570000-0x00000000005CE000-memory.dmp

memory/2568-17-0x0000000005540000-0x0000000005AE4000-memory.dmp

memory/2568-18-0x0000000005030000-0x00000000050C2000-memory.dmp

memory/2568-19-0x0000000005110000-0x0000000005120000-memory.dmp

memory/2568-20-0x0000000005120000-0x0000000005186000-memory.dmp

memory/2568-21-0x0000000005CF0000-0x0000000005D02000-memory.dmp

memory/2568-22-0x0000000006230000-0x000000000626C000-memory.dmp

memory/2568-28-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/2272-29-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/2272-30-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/2272-32-0x00000000066C0000-0x00000000066CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5yvfqnmlRxXn.bat

MD5 39fa50b1ce1f717e3cdf0b935ca7ede3
SHA1 213c3e8463c921238c4c75dffe90dc0686e7f11f
SHA256 e46a13d32c85203793523bd4166559a1f4a7cb20f716646b5f828b08f22aca60
SHA512 4d6c5755e50cf8d64a7f97dfd191126409bb88337673392ef447e165095d5027e6b2c986a74974b9ce6786ee652042342c77304b5fc7398f4a5633d37d5ce687

memory/2272-37-0x00000000753D0000-0x0000000075B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9f44d6f922f830d04d7463189045a5a3
SHA1 2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA256 0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA512 7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

\??\pipe\LOCAL\crashpad_592_VCZHLXIQQGGJAJQS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7740a919423ddc469647f8fdd981324d
SHA1 c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256 bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA512 7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 43014575c6c16e624f69cbd01c1ad4d8
SHA1 54a3e6834b71d9bee28e3facf2c5bdd9a2ae80bf
SHA256 c7df834fcfa8bb72a0a6c1072ab66622bc2f7ff70fe296fecfad583970d84665
SHA512 4140539e8c98c26750866bc4dd79951ad5c560228555a5ddb5d0ad6794d3b7fa2a3a2885d553f61c41ab5fc4031abe53f6873dc6defdc453923d5fef6312c22e

memory/2636-62-0x00007FF880C80000-0x00007FF881741000-memory.dmp

memory/2636-70-0x000000001AE70000-0x000000001AE80000-memory.dmp

memory/5492-71-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/2636-72-0x000000001AE70000-0x000000001AE80000-memory.dmp

memory/5492-73-0x0000000004AF0000-0x0000000004B00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5540-80-0x000001C3A92C0000-0x000001C3A92C1000-memory.dmp

memory/5540-81-0x000001C3A92C0000-0x000001C3A92C1000-memory.dmp

memory/5540-82-0x000001C3A92C0000-0x000001C3A92C1000-memory.dmp

memory/5540-86-0x000001C3A92C0000-0x000001C3A92C1000-memory.dmp

memory/5540-87-0x000001C3A92C0000-0x000001C3A92C1000-memory.dmp

memory/5540-88-0x000001C3A92C0000-0x000001C3A92C1000-memory.dmp

memory/5540-89-0x000001C3A92C0000-0x000001C3A92C1000-memory.dmp

memory/5540-90-0x000001C3A92C0000-0x000001C3A92C1000-memory.dmp

memory/5540-91-0x000001C3A92C0000-0x000001C3A92C1000-memory.dmp

memory/5540-92-0x000001C3A92C0000-0x000001C3A92C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 21078325f83e8963ae58a4f86689c5b4
SHA1 c6b43d9c4e663171f722453bba305a20fbafcb4b
SHA256 c827dd81936f8d9756bdda01fe151e2b80fee1c33db5bc2849a61c380e616e9f
SHA512 89639a25a04b324e627231af047d8d3afedec4b80325251f8df08dc569e2f598ffe81f84fb04d534344b425dc73a05f8476b79434bf0fcea7d2ffad4fb5a6023

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1b87b9b662b48f3ea2259d0c7bdc6e7e
SHA1 3d980369161a1dbda211106c9db71ced15dc10de
SHA256 4c033321f49a81ca6b801944e1ccc685ea87349c3876811f801b2f5409546043
SHA512 73d87b8ad35c17d7de3d6be43efce8f17dc11750ccd63fb4f6073cedb6e104bdc7be55b93aa5de8858e103697bf112885cb913bb839cc92e122782710b2f1822

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cf7575350bf6d2a38efae0ccda12b5a5
SHA1 75363bd8f07f63b04a7c6a2be5ff5bf7267f1268
SHA256 88ce7362ca6ea7c13622066cf40465fb977d00ff3cfae1a7d78fcf7de963909a
SHA512 d86c449b4c1d2d656691e821bb3dea4b0fb5f7af9577f1397b9e8f8a468311bc91b067e4b3b1e9869484f0af82a906e0ebe323534bf2ae89ecff1ab102553107

C:\Users\Admin\AppData\Local\Temp\8cIPnToldDNa.bat

MD5 d2bd6770141b02b1c96ae8c14c04640b
SHA1 e783fa8b7633f0e77b993a639311a0a4d580afef
SHA256 b64915a92c6439fb627fc07bdf04c259fb74d0dec3c9e62150dc28de2f01ff3b
SHA512 252a117cb1d50f67212cc0f437356562596effff3f4123d650d549f57876d903091ac099fefcac17736cf39bde0f4c0dcd81479d4f0ab4e069c91587fb09d749

memory/5492-113-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/3036-115-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/3036-116-0x0000000004F10000-0x0000000004F20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 ba4f3d670eaf86f5a4d8dd97bf7e2d7e
SHA1 871d41d7ea05cb961dd690710a78bb73cdbe71fa
SHA256 9b67920a119f2e628b0a436eaded09576fd334a974b23eaa48fa81379e426cda
SHA512 7183ab4dee1d30030bfb04c43cde95da6f48f73d6cc09987df6a718ff125dd30815f835be6523d4cc71ced4aa9a255908e30134a5e32fa476e54c505d9b41f6e

C:\Users\Admin\AppData\Local\Temp\BdLzpVKfjQSG.bat

MD5 63dba4453833bb9defdafcad7eca4aa5
SHA1 39ac956bb4195d13367fd6604520aebce92234dc
SHA256 d027cef164049c46f1ed28aade895c9777f9cf26ba9528f99e49c2b3a1cb34f2
SHA512 2a9328709920f07a13d4e463bd641e2e45ca61111d1c2685c95a04cd5df971a08be5e1259ff99ad7e35230a1e3588a981227363e1ae831f59468245e5aa824cb

memory/3036-123-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/5352-141-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/5352-142-0x00000000052B0000-0x00000000052C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lGKuU6yK0ylt.bat

MD5 d560d8cc65735751cadf8c647af34796
SHA1 dc55ecccf69007e7eaf8f9b2e8b29f3cdb1ab740
SHA256 a918a40a11853d9aefe2d3e5d5aa50e9c6fd2a1b5e4e5501316604d1a9c59e42
SHA512 3bf79f9b2b1d2fbf2a794470d3e51772e5a3a1e02fd47719860139c1fba94edaa11b4b03b727e91b90f2b9978f77685f226e8a686a1eaab68b764d2c61aeaf19

memory/5352-151-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/5516-162-0x00000000753D0000-0x0000000075B80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 7af279f6cba7d802225cad0bde1d83ea
SHA1 304f1602405476da89101013107af5aabbae297b
SHA256 46bcdb7c3f77891aecf351fc0f227940ee8b0137d81527fc17a29bb379d446fe
SHA512 9a260d9a87cc048c143bbb43f6efbd53adfe6843a58fc16a8e6c8752ba87a60cb4bae4c3d2063be763af9c7ba63a100464f561f74858b90300c36955e1d471a1

C:\Users\Admin\AppData\Local\Temp\t5LkbtXG4uA3.bat

MD5 bb83c768c10260f88867e054d39bc083
SHA1 c7a2f223f5ce7c96eb66246200cfa695662e7c97
SHA256 c0aafab2881d029a2a814d60fa71ada4e3a0954a38f52808613b0fe004026198
SHA512 b6d0c6b6312b94b837ae5131cf37ae34ccf8b6467a9a7847094b97f95d30b4b3cf2962bd96c020a8010b04c547babe0b0154003ecc581259dfa1f7ff3de91593

memory/5516-169-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/3472-180-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/3472-181-0x00000000059B0000-0x00000000059C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 fd0b98ef2e1f79db7c454d9e6c70e9da
SHA1 6e41bb34ea84a562e9d5f7054293a7af9b838a4f
SHA256 1271154e73b06059d0676d730d69189c66175b134f524c8079758505999bfab0
SHA512 e9dcfff19140cafe55dcbccc1f065c0f9cdf543d07dcec78e2bcdc17725b973d3ba4facd04d9efe2660b023e8e9afdcb796f1bbd3c135d9e11c9c3e7270c7925

C:\Users\Admin\AppData\Local\Temp\1i1ABXMmhrSm.bat

MD5 a8279f3e7a71ef7fd3de3b334d4e0786
SHA1 fea1760c7de4ab819b0a29bc78077fcdc2b5f279
SHA256 cfaf1cfb12fc8f31ca3af0b6b868da35dfabb085aef216c02c77e4bdb1eed70f
SHA512 90a0d146d397382e0988fa7d13fc0616bc6e0cebc2c347681d686f561b776294127da888ab5e370dfbe4f7577e1d2bdc7298554557c13fdda5d62ae8c0a91eba

memory/3472-188-0x00000000753D0000-0x0000000075B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b6033a821c96fac252c07ab58b63bf5f
SHA1 fc68a05ae88450da7f81502ff6de6fe0d95c4a93
SHA256 777b41ecb4798a9126eb6724f2b36f136746ac1a23891a3dca988fbc7d75121c
SHA512 c710cc5ad5180522d5afb5d24ffc13e15764bcc3fe8e6b33ad39c49a67d502be70452fcd7a19f324f7009e61554ff24ebc6de92dd195e8567f137a78a3dbe5d6

memory/3432-285-0x00000000753D0000-0x0000000075B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1e903c76e85145bc707ff655a8839a52
SHA1 cfbcb345f2556c3c8384a1217f994c71b39c1862
SHA256 16810d7496ec8ac7b37b6b3b41cff7a9e06230204ce4fa7d1b954b02cd67ac78
SHA512 fbd6417c37484dbf95f328516b2ab357d9f1cb17fbbbac7fa9308486fa818eb7aac2146e8564ec0bf87108ac111778da6270cc9c27ce2391d958a1a1f6bc7940

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 b5f150f29503def329b8c4ed483755f4
SHA1 7c937092e2a18c6568ff386e64000994d0b6e1ae
SHA256 da3888a05b2c7498ddbb3b8f031fb859ce72c4692ca1605b5268f1defe0cfb44
SHA512 a6ab1492083049c67e6fe4e21924c8f94e71d66b96918a178be4f632314a0c901e2c4934731af7ea83ac9cb7c61335fcf5003f6d284a0eea5e4fcd2bab25bd5e

C:\Users\Admin\AppData\Local\Temp\CXQ19QGPScq9.bat

MD5 7e4e245d48c50d319f5071b33db18949
SHA1 68c05ccd4d4da7e5641d5ce9dc158f181e4238d7
SHA256 9181cd297fca939f0268ee20b2f1803975a88cc569787fba0d965775740291e1
SHA512 f4d6e52cf6726f2b3e89329bfa07c1732e9fdfb3437e6eebb5b6daa3a100a44b1cd04c577447557a77ef71413b3c41dad142aafd37cad41ba0a234f125e5364f

memory/3432-352-0x00000000753D0000-0x0000000075B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 76a3f1e9a452564e0f8dce6c0ee111e8
SHA1 11c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512 a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 97036f291cd93f105818adb5662e048e
SHA1 e2a875356a7c875628a390d06ff83ce9947cfc0c
SHA256 fb7e8cf09e4d38d74bcb267da3b066688274c217ed4348e8923fba6f3ea1ae34
SHA512 1eb4f2fff2d3427b5c6d2b4ef695266a4f66ec836ea7c1d2c1adb564b82d9aa31a57cfb0333c27d10b092122abbf6d5089c81f8853e89fae6c4f07a3a8a35266

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 a127a49f49671771565e01d883a5e4fa
SHA1 09ec098e238b34c09406628c6bee1b81472fc003
SHA256 3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6
SHA512 61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 710d7637cc7e21b62fd3efe6aba1fd27
SHA1 8645d6b137064c7b38e10c736724e17787db6cf3
SHA256 c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA512 19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 d6b36c7d4b06f140f860ddc91a4c659c
SHA1 ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA256 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA512 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 74e33b4b54f4d1f3da06ab47c5936a13
SHA1 6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256 535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA512 79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 cd44c87dbbaf120ef787ecab0267548d
SHA1 a4fbaa0cc2bfd613cb0998eaff52a8e95ba45d10
SHA256 5a0b80a0ffadf2bd7ee0567a288cd0c0531ce24f03607daf4ce7c3c20bd69e2d
SHA512 2d4a2ec3a77deec3146bbb89cfca1821e1c4ee9848bdc594f8b642207424b4e2437ba13d67da51e417046f6fb230f847db98de67ebbb0bfdfaf414a0fce03faf

memory/4980-572-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/4980-579-0x0000000004980000-0x0000000004990000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 0b2eb5c180089cb03b7bd081daeea0a1
SHA1 61914875a9518366e65d6eba71ed3a369d105666
SHA256 d0ad7af8e389ae7afb8b4a064790b6ee36fd9482897eea3e46c3ed7bd302f673
SHA512 bf6ee10c9647af3d8b92160276aeb511c00b54275d3cd70de4e3b9e193c4453400ba3b76cb2dfc96737014cbb6e4404a42af1d7a4e43a1f8250a4ba20e19227e

C:\Users\Admin\AppData\Local\Temp\lTQbEIcNTLEL.bat

MD5 1cb1a7d60b3bc3f310a30dd2e3583f9c
SHA1 b3f1067fdaed74bac9ecaed1a6a49a159f0c4127
SHA256 7a4eee685e3ec17bc907934ee96147beac32e63c1f4060ccb586e6777e249cf2
SHA512 d62ad3038407351fc360a8948cce80f391fbc6b4cd1d9ef5c72de8b20a0a082afbaf464d7fb0ec184414301115c135fae342a4f1310043fd9794cc13ec057503

memory/4980-614-0x00000000753D0000-0x0000000075B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cff3e6e72f314fa910a42aaf285243e1
SHA1 6da95afae1e396ce69e07ddbfd1c9ea11daed22a
SHA256 b1b50cf30cb17d9092bbcd46726f694872acc789bfdf33ef10bb207af754d416
SHA512 0bed6da18ce3f788ae0644440aca3ce476ecb1bae3cb444ef466f838cdd6fa81596680521c86294126e02f57a9f3afafabe7b1cb4f45e9ed47e9c773b20051d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58cb4a.TMP

MD5 4e34cc7014436ce21c0467995a05fb83
SHA1 18e2d1e0bc86fe9138c260ea3a67e671b7613c43
SHA256 67309584217e3500d0e5bed52b316da6c5edefcb082a92003d5f6480612fef63
SHA512 57f6e068361631019edc7a9b0a02e41544267dfa0cf3c8d16807baca6f788e4849515c1019a4e61c0cc6e2cc0b0b7e1bf0645179c41ae75b56619be850f94627

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de83dc96cf9d5b8dff8bfbddddb4ccdf
SHA1 2e9b4380daef95ad27cc010492d111a373b0263a
SHA256 47b3e7bd0208a7bd5c0381ea6122021094bcb56bd696741e8c06672ce1468cec
SHA512 c5b895e41e5155fdd58cc1976be01283128c56bbb992ec64f7b54dc979b11e9e9bbe947acfc81c7bf9ed75f1f1b41f700251aba5c6e463cf3ba24fc156898e23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

MD5 f1ac243ba30b8d6986ec598bd30918e4
SHA1 a7f37252ef3dd93c2614227e8d9710b54d3f24bb
SHA256 ff939d51ded278f14c1e138c8281f78755949cc224917ad4db2a3d6a87d5bb48
SHA512 2a57344dfa0e700b56549e38f3833ba12306c38c7d8680f58c0703e13d336ff94ede1b6efe68fa9b186577c4761fcfd7cac1560e48a26f90e46951220fd4a081

memory/2308-738-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/2308-739-0x0000000005A70000-0x0000000005A80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 94bdc064ecd53d464f6b5c50c0356aaf
SHA1 53ec5a2ce162408240d2ab77a39751cd7cec254e
SHA256 b0517bbb5bcd3cab25ef5a67e209c2abb493cb7a362080f0fa65e66372fbba8a
SHA512 28b9f7a6662ac6ee2abb511053ecf6179fb5199ef474e86bbbc0e9cf518020c63f073c4dbd27a3d29512c03b9953da1e5d2ff2256c8fd8e577e0a601ecb4db9e

C:\Users\Admin\AppData\Local\Temp\aQjLNgQBcDQU.bat

MD5 f60fb81ed9a82a74c8d29ba14ee69eb3
SHA1 5ce83f05b073d8a6ebbdd5aef412fbd00722e64e
SHA256 0860a19447418312ff6c54461a887f2c5f1f260ee94e76d3e91b0a552dc13712
SHA512 41bb66c5acbcc2f1c6419d16e7e70cea84ab7aa3d458264675a2e89d1cf2f5321cad6ef1b525231c523d2e188268e6918affd4d458e2506a1e4f6e6ad731db80

memory/2308-746-0x00000000753D0000-0x0000000075B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2dedb384f11a6303529c1677d32fd4cd
SHA1 16baa633c7d9f0382f5ea009aa9a5dbc36a35562
SHA256 63ca7356bf1911ee10efa4cb8cf28bcc38ae4d6807278fe7b57f404fd3aaf8c7
SHA512 dddbf21c9488657061f7002ecbe6e987481120e1e0085b73b61252d6dcde37ff325f75c6920aff0cba4cb7ae8cae595a0a7a15c1360c3bc591869084b11c9d00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d0dcf1153b8dfda0a162e8597cf54ad9
SHA1 ec8c3da0fedbe12b3313a401dc8057ed801083f5
SHA256 40d03963e82876d99c0ea53f594f4fa7020ca73be6230b96431a61b665e8cefe
SHA512 232ae83628ddacc9c8b04c8692a1efe17580c4a2020f981e0ba02d315b96078ba9d06c59ebc0e43257a51e064f38622f70f3fdc03280f9739989919ae87d5893

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/1976-786-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/1976-787-0x0000000005300000-0x0000000005310000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 bebd5c66a8dc631d112fa15a004607ec
SHA1 6d33be5c5e5b5a46b477497d94d7240916466491
SHA256 9c5b2f53604902695e3a17e34089f0ac62d65c1a3facdbca242e583615d1ee5a
SHA512 dd8fcc501e0e48691325767a92c27fa0ad33c6c1b8672c9f2fc63a78b52b123f7e50c28194a1adf31cacbfd883ae081d77d6514b4096b9de74bee24284982359

C:\Users\Admin\AppData\Local\Temp\2zrNovLba7ao.bat

MD5 b20119a9895ac52563a050f05a2f3d74
SHA1 59b045b5382fa7d38e974a592ef8324756e867c0
SHA256 14156a4b7e9c70bb567653b3b54c163d0cdbc537faea8da47a28196a412847f1
SHA512 5fe9fb8939b9802d340d37d89d2137dc45c4b78ffb3e212e29c3f72049913734fd9d1704cf3992eb74ea0abc3f693e22f42e12813b5de9a53e876aa2e45760c4

memory/1976-794-0x00000000753D0000-0x0000000075B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2d0347f7af986850aa329e96ac5893a2
SHA1 15b4c55c8a8f7b0fba4b45d7e180aa247f9934d5
SHA256 0f806b0f36cdb2671b2f4b8ebf4fe6ae0fea0c9278fb39bd3cb3850126b79760
SHA512 d4010d50b2c4aa433438cb0bcb901577956fb4708bdf58fef790bc50b1875620c24da0c8afecaf27a0ee4004308e88050f42507538520400325c34cdace9114b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 d910e73194aa47b8a69c0596cf0121c4
SHA1 b00e0a33b4195292102250144e22a6770372a9a1
SHA256 60061f24c61ed182abad2f88a4898aff431e079c0f6b9fda91eade54738ff19c
SHA512 ad39b501fc9fd2a94f4f4024a0e00e0d9dec78080657681255fe9a4c4a081633679d2a3f030d2567be073616bac6995fbc8ca001f77fab2ec30b50a081bd2ab5

memory/2908-847-0x00000000753D0000-0x0000000075B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

MD5 98a8a5d471fe111c573e93bf61d14b6c
SHA1 75a0d1a33fdb53af8ff78560e6a716fdc37b539d
SHA256 a3e0a65923306d126ffe4f9ca8b2288dbad7a02e8b8efb8c3a4ef8351889f9b7
SHA512 100cfaa619b5136ec83ac82c9a2333216716581ea7bbd934a964fa03fb9d92e695eeeb8e6425a3cc86348b654e15050aa1faccab7189fc4ce7e66bc9bf488c5f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

MD5 015c126a3520c9a8f6a27979d0266e96
SHA1 2acf956561d44434a6d84204670cf849d3215d5f
SHA256 3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa
SHA512 02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

MD5 d6d1e7dd954ba6d6d40943020628e4e9
SHA1 ff21bb23bc72d6b523c9d9e6d5a67df6a7561498
SHA256 af7788b954f7d5bda174f934249443c931557c86bc89dd0ed1c70fbde3e5937c
SHA512 fc982f32aa326dd99a757bb0f69546318260257d7a10e3008e09ba07309694eb0dd0986674d1e17d43f8fa06a653d2c0dbb2626868b60a86833614c9a708198e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

MD5 17638a050e2d849a50bff892bbab78df
SHA1 bb37f6dc9198a28ebb2f6f9fd2bf4d81ed2b807b
SHA256 53004a91c39704dcaea8f54724c730695a0d43bfba2da764caa44e6da1aa2eab
SHA512 179615aeb045f21fc297a52bad9e9abf4aeb132b7cd89843d5c37b7eef90786358f5202ea95cf28db7fdb7064bf56aa7d8a27b1315e24cac1a743ceb36b06dcd

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 4c7c6888c6caeeba51c75d6d42e9dd6a
SHA1 0cc1054320d2478fbd930e567db85227023df5f2
SHA256 d82a325520b6d72fff8d732c567ea4d085744e0da91eafcdfbc1e4b1319e2133
SHA512 5c14f725943e00a8e7e5e80835347c859abc77bcb1d88f91d92a1e93c0ade5020b31eda012dbfaea0715751d29d49b38a95826518d5f18f652280b1329eaa833

C:\Users\Admin\AppData\Local\Temp\chbkGAlgEntu.bat

MD5 1df45ddcc297a0f08c1f7b38dbafec17
SHA1 75be05e23aa4ba8997f2e6cf74c570361efe965d
SHA256 f5e4d7602918cfac033cb54a7a44cbc9b51f52a93ad8157f9f268f5f832ac47e
SHA512 b59930bd2445ac808202af7f5f821922c1649ae0010a09e2b129a7e15bbd292ad76e577bbc9915d1dcde277f0b56b03d207c4578cf3eef259f86674a3282ce3a

memory/2908-934-0x00000000753D0000-0x0000000075B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\57a7545e1e3dd1c2_0

MD5 ac06aecc4f2431525211cce8e5f71c33
SHA1 1d28f6527ee07fdba4c46d3fbb2200ec576bd1a0
SHA256 31dab55fd69f39cb429c170e23a92402d4a7ef7d65ab9a44daa5c3e4794f69d5
SHA512 15ade5ea579ad3e271b0736490b8c8312a65287b8038a750afc82b9e48ddbbad667638045e4b555ecbdf23241b8c073cfae318ee7d2c2f75b5359c8446679da4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2df7d7123311c9131b92118d5e9a02ef
SHA1 9eae9f902c03b265c58cd57e8d9e59366f828824
SHA256 98d8f6901cd7324c4f4c111efdb9859c0e7887c633c0bdaf22e0ca657bb21e42
SHA512 b87087ae8014cebc81bafdf6eae3a26bb2d88433bf59cbe95fd3d23159527b826db287ba81f22200cbda6b98967dcfcdd245d444b2fc42571b4631d3716b0665

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

MD5 96908a46b1b18eb8989a8fc1a69d8d8c
SHA1 a343887e5fa762da4304fafe0b8ade599433d052
SHA256 92139e652c2c135768afc6d808f2182160636b250492a28552d9ab277a32ed92
SHA512 48274d31be0bd10919d868147b3f614d15bdd9e6197ef0300f06ebb9c94a47b436fc7eba0c96ea7caed9fe680d37bf373a04ca4cc5821191b9cb6f1ab0df4b49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\535c53bed1fe3b5c_0

MD5 e264132e26bc93b707526c9f0b979004
SHA1 510db596265cef6e2d59f6d9085dbc17f510cc11
SHA256 f07b0b5c88fdccf32eba6b08d4057cb11457b5d046583c5f225fe8021990729c
SHA512 fbdee1f3cdf712cfa02e19604626242207a16ca7a2817757b31c48f07ad1c2ac755adcbd4faef992e2815be20bce030a9590cb7a328e0680c0bb8e806f1da784

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9708302212dd6027_0

MD5 69741b3a3557eb46a679530d2d8cdd59
SHA1 7c330b1c62efe73b59444a0e9ff8a6f3ef9ef818
SHA256 6b84a2c283ce0ee1aeb091d8867e3be9f334de5f4e072487cf1f3359576b97f1
SHA512 0d2a3986538b4b9975f63e99e697458102a07af03e554b81ed8f7fb3649ca5d1e0e3cd74689ec9a50801bb2f24113179be050c283b1eda6d888c0d3698e5ea99

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ba29808787470df_0

MD5 c014d815b1a7ad6480c6abfc59fca563
SHA1 67f8289ce84b74b126226e500f62bebfb189071d
SHA256 4bafcbd4b7575b1ad727587c88f872244aec53d913c606a3ea64267d7c555b6d
SHA512 6b492690039e9442d3f31e4e31fc422da21c77c3c456a96a4d238debd7f900f1d1d9e8053a08e0ebf246dc57e53ac3ffcdc5dfb3e5a06b93beac8bae2e1bf46c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a5e77790e4598fed_0

MD5 a9cc7ed3c4dd4f4c2acbfdee73df98c3
SHA1 f5622c935991f655ea4959279eb6c729406dec47
SHA256 bc2b46cfc18792975518f19ebefab59851adc4d44e512066d429a67f5a869bdb
SHA512 4e13e9f2dc64dcce610a1cc2aa76c21b64e353e30aecf00eb9cbd7c02e91e8b733074efe428db500d34cd636f7e868166f790c226d068980317fed8a995806cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

MD5 705faf924a5cad6ba670ca41e6b4e7aa
SHA1 e4ac8bf444d4d5690d6bd79fc3b777a5ff076eaa
SHA256 0be23c1516c0dff2ed075d520a69c365bd3bbf4bba935cca5ddc071636e0b9b9
SHA512 92ba1dc28da6e171be179b3188621bc26e20ad89e81ba94038b08cbdc83df0dd111662b63415bbc15def987cd62b1cec289e2ae77c8786b8d9bd2993f2aed3b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

MD5 87e8230a9ca3f0c5ccfa56f70276e2f2
SHA1 eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256 e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA512 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

MD5 775f95318e4183b12b80c06feb4a9d75
SHA1 689008637a9552201220550db991928aace8204e
SHA256 e1978fde4e7194e7aebc51382b119e7d7dabac4093bd6677825df69d0ef1e598
SHA512 d105d088286183f641688409bdf14d84d3b3002e2d8a382d34d58700a3f2d7aae360a52ce2a4b8ee862d24a5e324dc51a551fa0e252bfcd77d237b159bafdc58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 5928977a68198db2b1d7ceac1fc08eef
SHA1 fe28e16e5b9780b9c719d2bf4c14c3cddcfe858f
SHA256 b2badede0f58bf7f958f09852aa4a3c9268d8cd8085a14a951ecda7a0386c3a9
SHA512 a37a6e79492409ac3154618e44fe44999acfeb812d53e83f409dabcb7677ec8a7faf59f7ea6b1e5cccfa5134884f94052c2c612e5e3c5584c326a61bac221a8a

memory/4296-1033-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/4296-1034-0x0000000004E60000-0x0000000004E70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 215620bb336171f0ea691180140abc3b
SHA1 b595aad4fe67fc6839e1643bbc7cfb331a0764ae
SHA256 3dc60f687bb48d39395156e8168fb08545f374be23067e914ec98b4a9a67c81c
SHA512 fcf37cfbcbad90851831ccd40ced6000e0c282865693af9d98bb727e13e70d599d4060cf363d0b8ccc42661d38e76fb6580dbd72447b479aef81f0d61432ddb0

memory/4296-1054-0x00000000753D0000-0x0000000075B80000-memory.dmp