quasar | 1e8520858b228d7d7e60985b90089e0223a69c5118a7029b10658177dcb4709b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

feb24955d3504654b50393efdafde20d
SHA1

3e43172200820307c71d2885a94d4f40efd5cda7
SHA256

6f732f4a61ca68e185972687c1ecd6a2fed2b25bea11dd81bb9c5d8f0e471bce
SHA512

1547189a9a14f4fe7313d2bf07218c52b88128ca66d704ce0cb1ad1f529af6c87192c2f2f639f00718ed21cab5b0ebb14416e24c9b77c129ae54026de8f9b1fd
SSDEEP

49152:Uv0iiN2tPa2vpJPylxhhC25D/Wv1zZLljFuvJmYoGdk/4THHB72eh2NT:Uv/q2tPa2vpJPylxhhz5D/WNjFAU

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.104:4782

192.168.1.104:50133

127.0.0.1:6000

DESKTOP-9IMIHQU:49736

127.0.0.1:4782

127.0.07.1:50133

192.168.1.104:6000

Mutex

03bae1e9-f5dc-4e0e-94fb-62a44e846020

Attributes

encryption_key
1BDF94B25EA282E8D3B48C8D6810CDDC133AFA4C
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1944-1-0x0000000000C50000-0x0000000000F74000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 3 IoCs

Processes:

Client.exeClient.exeClient.exe

pid process

1176 Client.exe
4752 Client.exe
2492 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3712 schtasks.exe
1064 schtasks.exe
892 schtasks.exe
4532 schtasks.exe

pid	process
1176	Client.exe
4752	Client.exe
2492	Client.exe

pid	process
3712	schtasks.exe
1064	schtasks.exe
892	schtasks.exe
4532	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618967784202459"	chrome.exe

Modifies registry class 6 IoCs

Processes:

explorer.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3800 PING.EXE
2956 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exemsedge.exe

pid process

2704 chrome.exe
2704 chrome.exe
3964 chrome.exe
3964 chrome.exe
1072 msedge.exe
1072 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2704 chrome.exe
2704 chrome.exe
2704 chrome.exe
2704 chrome.exe

pid	process
3800	PING.EXE
2956	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1944	Client-built.exe
Token: SeDebugPrivilege	1176	Client.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Client.exeClient.exeClient.exe

pid process

1176 Client.exe
4752 Client.exe
2492 Client.exe

pid	process
1176	Client.exe
4752	Client.exe
2492	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process	target process
PID 1944 wrote to memory of 3712	1944	Client-built.exe	schtasks.exe
PID 1944 wrote to memory of 3712	1944	Client-built.exe	schtasks.exe
PID 1944 wrote to memory of 1176	1944	Client-built.exe	Client.exe
PID 1944 wrote to memory of 1176	1944	Client-built.exe	Client.exe
PID 1176 wrote to memory of 1064	1176	Client.exe	schtasks.exe
PID 1176 wrote to memory of 1064	1176	Client.exe	schtasks.exe
PID 2704 wrote to memory of 1500	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 1500	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 3640	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 1576	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 1576	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 4588	2704	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3712

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tb8Pr9iAQx64.bat" "
3⤵
PID:508

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1304

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3800

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R3Z3c76xoyDS.bat" "
5⤵
PID:4040

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3720

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2956

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8370bab58,0x7ff8370bab68,0x7ff8370bab78
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:2
2⤵
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:8
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:1
2⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:1
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:1
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:8
2⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:8
2⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:8
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:8
2⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4584 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:1
2⤵
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:8
2⤵
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:8
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3324 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:8
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 --field-trial-handle=1960,i,6176297299895474690,2043429046279967229,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe"
1⤵
PID:3452

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault451c7ccbh9054h4630hbd1bh0588c3f03f67
1⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8338846f8,0x7ff833884708,0x7ff833884718
2⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12809885660899257758,6913007087839286890,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12809885660899257758,6913007087839286890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12809885660899257758,6913007087839286890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
2⤵
PID:1864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
85798492f2dc269fcb79206c0876da80

SHA1
3f563bb20452d3afd159343856273bbe54059997

SHA256
030ee9e6ab557b21f60618f97e969931d9e0adb5332a4c18e7f93b6d5a321d6e

SHA512
c3a995ec5aa07b4f78b562c559a9cde7398ab4e94b4a3a5ef64f5a58653fe4bcd53869485d19c823666104702e01ea4cfd0014b066790bd432d80c179f1d5509

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
0cd2d56911a5b06d86124b114f55f3bc

SHA1
2690a3ff3f83204b94da99458511e92b40b853f0

SHA256
c9630c855cad0f414df2b55a39c3631fe7ae9f3ace054a43ca5a79dcb280149b

SHA512
7b4a8c3c842e84b076313b9671360f7854de4340b5aebe6c5707a3b8cc9e2a73ca5c7e7a5f5491cb7f53566165db1beff543725a8eaea1d7984a559e1afba6c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
977ff9241e1b4d50184ca3ac58530965

SHA1
812352f313d6414dfbddf42ca919f023d2c161f6

SHA256
34b2d69836be2e94da078f7c4b96b5850e8d6d5bd0a69478f44c1f7902328630

SHA512
27df1998a341248515ead775cecc2b3c21e5fc9a40debb4c5364fcd116901bfb3c49146f97835f6da6df8945f80ed8171017352e5596e763184791477df4e653

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
acc5b4ece26b5715a4886a55600cee84

SHA1
bb92a518080901df3176a86fc06272203b5ae28e

SHA256
03f2073615defa5415221c74c07c5876a3d4f566043c68e2f3551a65abfca654

SHA512
4fe934b707907a62984f48578a6f2ed25424314beab9d26058033d1c26d5d72a2c103e5fe7316eba3d977c5cd7146bd0998c4a16145150be32c922b38c129881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
1f9610a8c33234b28461ea7f81d65aec

SHA1
c7f8deb5cb4bcbf9b78b3bf4cddfb2aad7078348

SHA256
853bab9d2e1f99adc61881fa0d8a26e86900e0f154a6cff1e270e04252379fb7

SHA512
2117c35cef0c27ef7f9aef5bc3dbae4bac6700d0d3b3827fce6ff84c1ff07a946fc573aec37ae2dbc2a312753f2be5af4aa9bb43b4d952b32447c64aa6a7231b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d96ba5bd-5235-4fbb-aa74-da248792cc73.tmp
Filesize
354B

MD5
25fe96532e5409d63d40c9c21bd799da

SHA1
f85e5ca3d82e242f75a9ea7e5f2ab713fc9fea57

SHA256
66376ae96a26521d198322c9d847dcdd9793bc75fd868fdaec45339ec756a42f

SHA512
f91e7d9ba89673aed9194c09885c54c9d6f23bd9fbb651810dc770c8a9e69d17c0b185d3ad43f1ae47470d8f40caf4e64a74efecba907b3d0403990b8243234d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4d8a177aa37c5ee684bc730727ca0f1a

SHA1
ca9f7ebd3dda755d06aab29d0905ceeddd12b1c7

SHA256
fea9a1116c2951f07fd424fc5a85a65b31903ce1d37e030240f1467ce3544c2c

SHA512
514c70b7ec79d7a032ae0446de565ca830b5a981fd51fd841c3d6a56bf070c52ea3fbb3a951688d4270dd24a3c81308092a6107b3a2294c2f987a7e2299913a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c4caf663b14a41ba7f7a892f7d317d65

SHA1
14779663a67b0325348cc9310b6f2275d021d904

SHA256
62773b87fa4110dd8e50dca4bb6d54b6637ebc10e9828d712b039dcc6ae79b6a

SHA512
6ff074c9057337e6e164c7414ea58d99c520d90fa5f70795e0ab662a3413880cd8c22d9e85a0df194bd0c1926f48af22e49f1b79c74c723802137af630a049c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
71cbca9734810a1e838f22754bb6def4

SHA1
90e4041c2db2d89207206c1898a8ba897686b0b9

SHA256
c6bf239f6338caeb7e0c17c9947eb43fd03664be8fe0223d20f30b283f712cc0

SHA512
d305e086931ec4c9db29325d5f67d92f176b400d24c96f3008b32fc05306c969b352ee1af75d3a170b924c36f9da2d932781790e3e28b217be77ce67ad967e71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
7cbd13175485485713437389b695506b

SHA1
510145de33ab497db231f40e1775013288a86a0e

SHA256
96106eb8727102c7849b9115895b1ca834653540a7d87fa32368bf8e110f25c6

SHA512
37846d953686ef1655592d4a648a2be73095e95f1b4b8e4078fbd432caf627bff53569a28e0b46e5563dd43415c41156fe1f200c26d71e161cf35c138fb133fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
259KB

MD5
e354dff90c46f296ed7ba4125d8545e4

SHA1
d3e9648ceddb6b2e9f2f10dc7a6c65b016c4944b

SHA256
d738c5b19f3698f3f3020517e89b11402d48ec900e81f9a1376826e7c319f752

SHA512
eec1259e46fffc7eeef53ed1eadbc4021c961cf3fd0c4ea10ef242e61478c7a1ae4b07da33a16f98533eb5175e97618ca42b7e51bcb60ce340d60573da01ac22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
96KB

MD5
4b00a6ad6b9d0a4bcf5f41718afef172

SHA1
df209d15b0b420eb496139dbc2c44719af359e40

SHA256
3ecfdcb270debbeda2a682944d2729132f34b0dca6a0a0cde5d93f033fb79444

SHA512
9364e7e41e93c490d72221fb564948f60ddd59c8f58ceb93bf11b5f4b151a09d35e854664d16ea8456bdfdc4083f104dd113a01732aa70e5200541825b0a4c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58ef2d.TMP
Filesize
87KB

MD5
30d8bbf27068a1f98aeb54bf6695cf04

SHA1
57bb15ca650418e42fcdc4e2e9d63b45915508d4

SHA256
452eb3689f300947ca8d2a723c02a6fb4bb9b592259df8114cc68d9f96b2e9c9

SHA512
575748eb50908fac7ff87c98b234218d72e9776f642038e644e56abbad52b332866ce997be08cf4d166840a54ced72c98e745341db1caf0ce97b38404094c21c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
cbd62ac578f8415f956d03b5af28cb54

SHA1
7c7c99787d9ef476fc9ddeeeb936e3bb4e535315

SHA256
d8ca0e4e94df1104b245fdd678a42a057dcb3464925f52b720d1af04c23a80af

SHA512
dd57450155aa802ea942372088a34452bb6c2a51db142bccfe807857ce673ed117a54f99e855760afe210df9369296a3a77bbacfa5829cfe15742729b091311f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
bab610a7e8e3319471548813b18dcca1

SHA1
fb56dafa29cb01bc14ef2218b0005ebf16ef771c

SHA256
034c0b5a326e015204fcab8696c40b6031db988580b996d7ec596b3fde7075f1

SHA512
d990ad7f448263f78c68475263d6b26aca4c4de02d823feb0136f1c67d720d0e7569e46033928b2f99c15c3192ac77eee9f83711134c96420cf975426f1b9a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
9c76e8b1c6fb3a57edbdc4a18900f8ee

SHA1
231b259a4e755928bc80453476440678fd382608

SHA256
5dc26946a9dc0debf433f2274b7337bc9bef2a78d995e26afca09b44014beda8

SHA512
03499c1a0ef3731964ab60fd2c164a3624df167354cde9fbe19bdd9efb4a5e5c1388dacf98f94d3501fbbb1b21e48b44c9da40af03a23260377eecbcf444104a

Download Submit
C:\Users\Admin\AppData\Local\Temp\R3Z3c76xoyDS.bat
Filesize
207B

MD5
9f1fc1d95f68a3fb905d04b6c3b6993c

SHA1
9b06c25e788bc36aea3f10e76732d13975d2ecfa

SHA256
e7458f8d177a5ceef602578372312ae65bf9afa87b69055bf50bb5ded18fbf4a

SHA512
f83264dcb8e653e23c933c05d8d72bc6cc39006ca4624f07eda0672a311f9a31f8f98835ed353f9e78986fbb83d50db4456cccf0fd4e8c50d04ad79111bc5205

Download Submit
C:\Users\Admin\AppData\Local\Temp\tb8Pr9iAQx64.bat
Filesize
207B

MD5
7b02ab10747ffa3b8957778bca71ff26

SHA1
c538bfae1b2604b5b5351331e576a2051ce7fc5f

SHA256
e32206e1dfb0d92368090970e0072fc6820ef1a32091aa80ea5f3afbaad2c712

SHA512
cd26e63224769d73c665c0bb68dfbe4aa89ad6b645af4d4be59c9d1b692d3117ff7ea5c8892078c9dee41dd7b1420ab617531db433a1ba00b89954b1110b128a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
feb24955d3504654b50393efdafde20d

SHA1
3e43172200820307c71d2885a94d4f40efd5cda7

SHA256
6f732f4a61ca68e185972687c1ecd6a2fed2b25bea11dd81bb9c5d8f0e471bce

SHA512
1547189a9a14f4fe7313d2bf07218c52b88128ca66d704ce0cb1ad1f529af6c87192c2f2f639f00718ed21cab5b0ebb14416e24c9b77c129ae54026de8f9b1fd

Download Submit
C:\Users\Admin\Downloads\Hello.zip.crdownload
Filesize
1.2MB

MD5
06c9f31b75092e470cbbf178827d9e7c

SHA1
5025dbfac6a48ca594973f43c801ddc47627c236

SHA256
1e8520858b228d7d7e60985b90089e0223a69c5118a7029b10658177dcb4709b

SHA512
9dcd719b323cadba6f8e624adf8b2506d777f7e0638a807bb8cb787650b79822057588fb02e835d811e7849ac1fceeb0cf14243c7823979ab1e7309bb05826dc

Download Submit
\??\pipe\crashpad_2704_HVMYGOFJTADIVDGB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1176-76-0x000000001C600000-0x000000001CB28000-memory.dmp

Filesize
5.2MB

Download
memory/1176-9-0x00007FF857A30000-0x00007FF857B3B000-memory.dmp

Filesize
1.0MB

Download
memory/1176-11-0x000000001BCD0000-0x000000001BD82000-memory.dmp

Filesize
712KB

Download
memory/1176-10-0x000000001BBC0000-0x000000001BC10000-memory.dmp

Filesize
320KB

Download
memory/1176-91-0x00007FF857A30000-0x00007FF857B3B000-memory.dmp

Filesize
1.0MB

Download
memory/1176-68-0x00007FF857A30000-0x00007FF857B3B000-memory.dmp

Filesize
1.0MB

Download
memory/1944-0-0x00007FF857A30000-0x00007FF857B3B000-memory.dmp

Filesize
1.0MB

Download
memory/1944-1-0x0000000000C50000-0x0000000000F74000-memory.dmp

Filesize
3.1MB

Download
memory/1944-8-0x00007FF857A30000-0x00007FF857B3B000-memory.dmp

Filesize
1.0MB

Download