quasar | fcd5b843d50ec2f973aaa27e54b6bf045931cc3cb8d9bea4edaade352fe0f7d5

Analysis

max time kernel
300s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (2) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

3260 schtasks.exe
12 ip-api.com
34 api.ipify.org

pid	process
3260	schtasks.exe
12	ip-api.com
34	api.ipify.org

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral22/memory/436-1-0x0000000000DB0000-0x0000000000E1C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exeM4XrlTH6NcjC.exe

pid process

4736 Client.exe
4608 M4XrlTH6NcjC.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 api.ipify.org
12 ip-api.com
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

3260 schtasks.exe
3288 SCHTASKS.exe
5092 schtasks.exe
5676 SCHTASKS.exe

pid	process
4736	Client.exe
4608	M4XrlTH6NcjC.exe

flow	ioc
34	api.ipify.org
12	ip-api.com

pid	process
3260	schtasks.exe
3288	SCHTASKS.exe
5092	schtasks.exe
5676	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617831666177388"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exemsedge.exemsedge.exechrome.exe

pid	process
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
3632	msedge.exe
3632	msedge.exe
1700	msedge.exe
1700	msedge.exe
1140	chrome.exe
1140	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exemsedge.exe

pid process

4560 chrome.exe
4560 chrome.exe
4560 chrome.exe
1700 msedge.exe
1700 msedge.exe
1700 msedge.exe
4560 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Uni - Copy (2) - Copy.exeClient.exeAUDIODG.EXEchrome.exe

description	pid	process
Token: SeDebugPrivilege	436	Uni - Copy (2) - Copy.exe
Token: SeDebugPrivilege	4736	Client.exe
Token: 33	1232	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1232	AUDIODG.EXE
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe
Token: SeShutdownPrivilege	4560	chrome.exe
Token: SeCreatePagefilePrivilege	4560	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
4560	chrome.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client.exeM4XrlTH6NcjC.exe

pid process

4736 Client.exe
4608 M4XrlTH6NcjC.exe

pid	process
4736	Client.exe
4608	M4XrlTH6NcjC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (2) - Copy.exeClient.exechrome.exechrome.exe

description	pid	process	target process
PID 436 wrote to memory of 3260	436	Uni - Copy (2) - Copy.exe	schtasks.exe
PID 436 wrote to memory of 3260	436	Uni - Copy (2) - Copy.exe	schtasks.exe
PID 436 wrote to memory of 3260	436	Uni - Copy (2) - Copy.exe	schtasks.exe
PID 436 wrote to memory of 4736	436	Uni - Copy (2) - Copy.exe	Client.exe
PID 436 wrote to memory of 4736	436	Uni - Copy (2) - Copy.exe	Client.exe
PID 436 wrote to memory of 4736	436	Uni - Copy (2) - Copy.exe	Client.exe
PID 436 wrote to memory of 3288	436	Uni - Copy (2) - Copy.exe	SCHTASKS.exe
PID 436 wrote to memory of 3288	436	Uni - Copy (2) - Copy.exe	SCHTASKS.exe
PID 436 wrote to memory of 3288	436	Uni - Copy (2) - Copy.exe	SCHTASKS.exe
PID 4736 wrote to memory of 5092	4736	Client.exe	schtasks.exe
PID 4736 wrote to memory of 5092	4736	Client.exe	schtasks.exe
PID 4736 wrote to memory of 5092	4736	Client.exe	schtasks.exe
PID 4736 wrote to memory of 4608	4736	Client.exe	M4XrlTH6NcjC.exe
PID 4736 wrote to memory of 4608	4736	Client.exe	M4XrlTH6NcjC.exe
PID 4736 wrote to memory of 4608	4736	Client.exe	M4XrlTH6NcjC.exe
PID 2952 wrote to memory of 744	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 744	2952	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1740	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1740	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1924	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1688	4560	chrome.exe	chrome.exe
PID 4560 wrote to memory of 1688	4560	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1236	2952	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:3260

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:5092

C:\Users\Admin\AppData\Local\Temp\M4XrlTH6NcjC.exe
"C:\Users\Admin\AppData\Local\Temp\M4XrlTH6NcjC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5676

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (2) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeca0dab58,0x7ffeca0dab68,0x7ffeca0dab78
2⤵
PID:744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1980,i,3728421172524156354,18378075894502999866,131072 /prefetch:2
2⤵
PID:1236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1980,i,3728421172524156354,18378075894502999866,131072 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffeca0dab58,0x7ffeca0dab68,0x7ffeca0dab78
2⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:2
2⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:1
2⤵
PID:1872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:1
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4180 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4380 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:1
2⤵
PID:5396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4296 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:5516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:5532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:5616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:5852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:6032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:8
2⤵
PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4780 --field-trial-handle=2012,i,6993790211061086141,240617904716338810,131072 /prefetch:1
2⤵
PID:5628

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.oracle.com/javase/8/docs
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeca7146f8,0x7ffeca714708,0x7ffeca714718
2⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,11259101541946440409,12047004447301703676,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
2⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,11259101541946440409,12047004447301703676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,11259101541946440409,12047004447301703676,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
2⤵
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11259101541946440409,12047004447301703676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
2⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11259101541946440409,12047004447301703676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11259101541946440409,12047004447301703676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
2⤵
PID:2392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
6e8e5eb366131c00371faaba453d016d

SHA1
916f832c0a93cf74c401ac0a705b949b1dc054ef

SHA256
3b6f19e78f137fd0e074bb94ce0484e805b6d102283651cd04469087398e9b19

SHA512
eb0d4017b820f6a48d8b6a822a42e69f7933013b98a2854e1c5af8e6c75c0e641ca7fa70c19df7f2214a8c1edf04b8efc996d5d65c237484feb2192280428acd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
6684c849a6b53bf0d0fa3871dbdc3ee8

SHA1
759a34bb06a336be7d793f30394f5a28d3345558

SHA256
3de3ecfed7291f4a26744d7a5805e01c420218025e0feeac988df48ea64421ef

SHA512
2cf61cf7aa3249ed8615b442cb95ddb4f024f5b29db3efc313abd6378ed61d9d7313788a737f77704d8f900ab1a6e2b01a7af279b0d8575e7134c1dc3ebab788

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
03c8bfc8e8feaff48a61eaa4120656ac

SHA1
2e9a203251eab0d1166b0f884f71e251745b3449

SHA256
364e79bbcd012aea4c895ac81a7aa8d2565ead8177a591e62257e3ff1e11c6e6

SHA512
b1dd48b8292c047552c3171249abd783dd52db8839b157f81e11b18e115bc9546734740be99c4a4322cf19d928b78c145f2f4966f9cda9887951e12677ae7b27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
1bed6ca1663667deb085598c37e9d04f

SHA1
b29aa373d2eb723e58bdf26688f892495e1f305b

SHA256
99839050a7f830134ab8b6fbf3a9678fdc5cc80c86d11b9ef64af72a031df360

SHA512
d6d5ff1219b1035496b0751c58a79396b58c6808188217b733b3d9b64ff24f71a162b096795cf4f7a5c5ce7a1ed9f1f19e8889114c797a2709c211df25de0703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
35e9cdc4e1bb016f4f9dfb6c43a1d376

SHA1
db4fb582cfcc9b5596774a40c24e4094cbf80eb8

SHA256
cc214fa06eb1e12b21d9e6824576c3e0bfc3175a0ab50317a2303776eb6f1b11

SHA512
034cd1760691f4bf75e92377abe95de111328e01ad1081f4d3b7a1dee772ad7b7c1f717d06207fd1379f82ee8bec273f711b5b73c9037fd0afd422bacbae9a6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
e0cf7af25c13625e3db996078634c7e0

SHA1
b128bb313312131d3a28b0ebec76e23d8d898b9e

SHA256
750fb2339010716a83a8837e0d1e01e796a7641a70f0b7e80667d23a03ac23ab

SHA512
d82db7bd803fe02e888fc7537d731a27cdbe51f5294da72cc0c9ccfd4af2cfbaeee246701af9e455fccf8bf9b178b54b7f5bff7bea80c32cf067a40dc6663665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
eed86b2d997d48d417304312bbca97b5

SHA1
8a73f922cc448b17b1e79cc3234ec3e1089797ea

SHA256
5f32a04a8dd0ee42e3f500e8e897e6a3a9e95925fb4c8cb27d38ab3b42f2696e

SHA512
17b5ca9c7757283fc9ea2920f4d3b0e491565e980e97421d2303afc6322ed8e6be323e4a4255e23a9d81624f14b8d250737cffba00ce05356c9bf56659d96f5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
4838b35a41abd5911eca30efa31fcd93

SHA1
3980d5cf27d70781f4d23a1b7bf8e9b4d63ad903

SHA256
7268be2f48d3369796d5a812743a73a9b99c21bd487244d80f55d80c0ac0aefd

SHA512
7a59e8971f810899407280e9c5416b022e93579c44db6927f4b14a82e8b3d453ea4b73661f233e24dbabf3e0a9b0ca27ab6b72c39b80570ccff4d2e9fe003fdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
ea9d63da7787af51ae4cb51780e2559f

SHA1
d5267e1bb878c58bdc22977738c8e52c92005386

SHA256
6a954dd8e8843bc8e5517d6f9ea7d68e2606170e92f5cb4f4502df8f916cdd43

SHA512
692c40fa2cfe957fbf09eda5c5c48b48441218584b8fa0dc115079bf500cd8e92414d4787cb2cd1ff3341b2202e646b49f2e9fbf07e6ba1ea6516a181416d576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
92KB

MD5
eb27d81f6b39f13e8026f3df5e7903ec

SHA1
83c8c85cb92010922fe76c96cd00ee3634a9af8c

SHA256
910c984ac698ccab3de84ac540d57861d4691d7f0ccec44d9d0b9b1735e859b8

SHA512
f769dbe1836a9566df390fa3bfb535b982ca98a25ce156cc96f193bef266bb40910ebf3e8ded268e6660243542d714d31a1c15742b29e7d2658d38e09288efaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a783e.TMP
Filesize
88KB

MD5
e98e914a8d531d0f4ea9b9509cc571fa

SHA1
fe53cc4ab0d53adde98c85b7bd53e4d6ba767d4a

SHA256
6830789fab249dc7fcd36f3f25ef1981479bb966595030f2d158fc9d487cdf1b

SHA512
b65ce995c71134561538e9fffb555ab0bf1a746e56a138b554eca35947d0361b75f5cee7167a7e84816a501b166465d010a0bfbe149177f518e97cee813b41da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
cdca88b815fe8861beef460c94dd1859

SHA1
f300b1cc9fc43163631fe842ecfd85d70426bb98

SHA256
92c25bc4a83e46a3a3da4b80d17bb8d019006db6f49ba637f89c8333a78395f2

SHA512
fb98e26906bfe40672fadc8f4698a49c57250dddcda0ab5a7025e2ad72a64f9c7b3a0c317afc4c3760eb34260b962f66f4405fbcb14f98081d2d57fa50a048ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
efa2e1ba4534286bc49b12f69a038646

SHA1
6b5a2e5b14e8b84ea85dcd62e20b19242c18a63c

SHA256
d602b8c4019965c17f805e3de47b1970f96a9769389b7bffc981d104949f0278

SHA512
0d7b51957dd0b0b362cbe80306c10c49a8e160636b92d383bb98c42be796aa9dc6ac79dac0c8295cdf053ad84ce82463f43a8e87e7b30d34eaa706b12eb96039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5430772c312b7b6c0c91670283984218

SHA1
81a33f9af64202d988a9334263c498d7bc2d5619

SHA256
f578eb6bf17978d24bff94efb6835e5cfb283fda3500b5044188cb8bac5acd33

SHA512
3a84bf0fb2bfd9e02a38593e68dcf27b6c4901f3edc12c222f1c96730e4ed2ff868f61774dab9f817083d9cb0561c952f0cd13e709fa407bb0e66c9afea316b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2a1e4734ba95d97074c7fe5131d4deca

SHA1
9d7bde1b67796f36aa549f5f30ec7e959a40d75d

SHA256
7759fceb051babf7e2972e778da30346afe836510bb787f379bba3df88da6893

SHA512
78a478a240ece0f7d7531b200a5521e6e338ae1d1cbacab3d3651bc590ed2d8c60e1a0242eb17f32b0e7a088c6c4a72da81328b29137ff97d884fca7d5ac5978

Download Submit
C:\Users\Admin\AppData\Local\Temp\M4XrlTH6NcjC.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
\??\pipe\crashpad_4560_FFOZPCESDPEXDBUU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/436-5-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/436-6-0x0000000006640000-0x0000000006652000-memory.dmp

Filesize
72KB

Download
memory/436-4-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/436-15-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/436-3-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/436-2-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/436-1-0x0000000000DB0000-0x0000000000E1C000-memory.dmp

Filesize
432KB

Download
memory/4736-195-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-12-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-13-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-19-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-17-0x0000000007140000-0x000000000714A000-memory.dmp

Filesize
40KB

Download
memory/4736-18-0x0000000006B00000-0x0000000006B3C000-memory.dmp

Filesize
240KB

Download
memory/4736-20-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download