quasar | 0463f6a7f96dd95ae2352e658a17210f6242fec676cacd4c9a8042e1b040560e

Analysis

max time kernel
642s
max time network
640s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

d736427dd2ccd3f8a536d5cf69827f6f
SHA1

20db2442845c8559801de82434b3af89b6545c4a
SHA256

0463f6a7f96dd95ae2352e658a17210f6242fec676cacd4c9a8042e1b040560e
SHA512

822bdf46a2f950f42a8c17afe9cf1ca27685fb44e180966871df2f2da08b872a10e72e5c892b901d3c1a9f2421ed91ac14b452d0d87fff8146e3839740fb0112
SSDEEP

49152:fvvlL26AaNeWgPhlmVqvMQ7XSKPmEqf5P+rk/GLoGABTHHB72eh2NT:fv9L26AaNeWgPhlmVqkQ7XSKZqU

Score

10^/10

quasar xworm office04 discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Name1442-37611.portmap.host:37611

Mutex

f21583dc-cd85-4a94-b7ea-858f2e9d6287

Attributes

encryption_key
A43011D93D39774DA187A9FA7731DE56F484D345
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

127.0.0.1:37611

Name1442-37611.portmap.host:37611

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/1688-286-0x0000000000DD0000-0x0000000000DDE000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001f00000001e093-133.dat	family_xworm
behavioral2/memory/1688-140-0x0000000000750000-0x0000000000788000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4384-1-0x00000000004C0000-0x00000000007E4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cc0-6.dat	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1448	powershell.exe
2868	powershell.exe
2404	powershell.exe
1496	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BdDDhoJ5ODmV.exe

Executes dropped EXE 9 IoCs

pid	Process
4348	Client.exe
1688	BdDDhoJ5ODmV.exe
4516	svchost.exe
2364	svchost.exe
4596	svchost.exe
4544	svchost.exe
4120	svchost.exe
2852	svchost.exe
5012	svchost.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	BdDDhoJ5ODmV.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
73	ip-api.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133769496121895605"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4028	schtasks.exe
3096	schtasks.exe
2060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe
1448	powershell.exe
1448	powershell.exe
2868	powershell.exe
2868	powershell.exe
2404	powershell.exe
2404	powershell.exe
1496	powershell.exe
1496	powershell.exe
1688	BdDDhoJ5ODmV.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	Client-built.exe
Token: SeDebugPrivilege	4348	Client.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
4348	Client.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
4348	Client.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
4348	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4348	Client.exe
1688	BdDDhoJ5ODmV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4028	4384	Client-built.exe	83
PID 4384 wrote to memory of 4028	4384	Client-built.exe	83
PID 4384 wrote to memory of 4348	4384	Client-built.exe	85
PID 4384 wrote to memory of 4348	4384	Client-built.exe	85
PID 4348 wrote to memory of 3096	4348	Client.exe	88
PID 4348 wrote to memory of 3096	4348	Client.exe	88
PID 1664 wrote to memory of 3512	1664	chrome.exe	110
PID 1664 wrote to memory of 3512	1664	chrome.exe	110
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 4928	1664	chrome.exe	111
PID 1664 wrote to memory of 1516	1664	chrome.exe	112
PID 1664 wrote to memory of 1516	1664	chrome.exe	112
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113
PID 1664 wrote to memory of 2448	1664	chrome.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4028
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3096
- - C:\Users\Admin\AppData\Local\Temp\BdDDhoJ5ODmV.exe
    "C:\Users\Admin\AppData\Local\Temp\BdDDhoJ5ODmV.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BdDDhoJ5ODmV.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BdDDhoJ5ODmV.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1496
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2060
  - - C:\Windows\SYSTEM32\CMD.EXE
      "CMD.EXE"
      4⤵
      PID:1852
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /K CHCP 437
    3⤵
    PID:392
  - - C:\Windows\system32\chcp.com
      CHCP 437
      4⤵
      PID:4496
  - - C:\Windows\system32\print.exe
      print hi
      4⤵
      PID:3660
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /K CHCP 437
    3⤵
    PID:2012
  - - C:\Windows\system32\chcp.com
      CHCP 437
      4⤵
      PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcba6fcc40,0x7ffcba6fcc4c,0x7ffcba6fcc58
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,5659215999786783060,17513098476501552828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,5659215999786783060,17513098476501552828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,5659215999786783060,17513098476501552828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,5659215999786783060,17513098476501552828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3324,i,5659215999786783060,17513098476501552828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,5659215999786783060,17513098476501552828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,5659215999786783060,17513098476501552828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,5659215999786783060,17513098476501552828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5012,i,5659215999786783060,17513098476501552828,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3328

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:4120

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7e5ef901-eb07-43a4-8974-dee0a98fe6e1.tmp

Filesize
9KB

MD5
21d7f61325de517bac6cb9e25730b84f

SHA1
8e744728bd2b35886e9c6e8836e561b2760acdf0

SHA256
4a0b91fbc6dc5bbb66e3946cfdf0dc909f10d614697dff1ae277d235747f6d45

SHA512
43b4c6436ceb9b34b2248e365223fea41cabac4d428171a03a17fb9b42b0eb8c219953717f0c675bef57fb0bbb2ebbc2234e25dd5faaf561b5a8679b75b6ac4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3a58d76b649d541a3417d05b2911659a

SHA1
55a1bde2a78c5d3b4ec7cacd9c1b75a579f89cef

SHA256
03baced161321a1cec3e77a0ffaa79d811366765726e9e40bcaf8928cd7a1c4c

SHA512
2832e797c8421b094a9d769f26615fab7b7db1ed6d3211b669c1afa457d2b147b284e41dd633ecefb459e04b336c46159216455d1b9c038eee6c4fc0e907fd08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
31e9cbd32957877260cd58c8cc860956

SHA1
a6e8806f6fe67c46ec618004aae29ae58a59da70

SHA256
be1825f766f06d82ada5a6489f661e2edc1f2588e3a04118307944c07ff0ef01

SHA512
cf73f2d85f0139fd17c40846134d01fdd12070b1aaf9851216a47a7c9311b98623f949be84ff77f19b0c6f3c4e56672b4ef7448b5e886b727d44f60cbd45cb88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
484e309a18af050e29082a76a1805c34

SHA1
5a3b89473a0e838da6035f94d429a9bb9519a3ea

SHA256
36a38f7686e389f360400af9621e3886d8b7a0b9d6397596f488a29ff37f8299

SHA512
1ac6764bf812cebd1bd042f704c0736f2b03717660e4ced90e479301370bc39d0eb20a8916065298a4ec2bfcb4d631c71cebfd684edb35e88c7c84cb1ca51edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2e0c84ed6fec0a0358772ba24c5480f2

SHA1
8e570d7cdf28d245cfbd26c6a0f852dc103cb771

SHA256
7b4f38d83e77af96b74b7c8dba3d534298e195b66ed60281b16385be5e052752

SHA512
cf8c20163318c019d6fb711e29966f66cc2d7aa01d0da0b2d033f4f83e585b3cea30719115856144ccaf101a38c01e4c1bd0b271faa010860f3790dff8c32894

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
353c2b789d29f23f7f30c353fa1ca40d

SHA1
ff4af52b3a18c06df10d054192e145451879d22c

SHA256
45b6dea5c307647b3f7bc6093942dbb9974aa109b7ee0421588016477f518e72

SHA512
9a66cb2df7560eaf4bf03f1841d359d729e9ccdcca2935c4f3ded2b01ba8a1ab1c750236a7b295035a4c246c1b56c661e1eed79d0f3c894bae2f333321108bd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b632f3f879e804e9726e9cb0b038126

SHA1
78dc7c7248cd7c5f5badebfe37a7226916579026

SHA256
d1f7bb18de044b701a01f3ce11fb61ded394ee5bb0d473a5daaae887316a3ddf

SHA512
da2ba0fd3943fffaee427261766a2e272a95ea6494627c41990de2f2aaadfbb586a481656a1a43ecffd279200ce89a7d22ad85ff131a5e56e28f3dda0558de83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3357cc3af35b7f5b9abaa46438115e8

SHA1
347c177070db50589179897f8a24aedc76adf90d

SHA256
1c2e3a65940a7e58593129263ffe7654a70e8c5a18931ace4706722e38f14855

SHA512
6c6461f6d62afd7cc82b76cedca52d24af054ec3584906cb82b749fc6cd0bb2f8fe844a75f6f11e7a8a21b80335f7286011b0d3f75845b04954efaed4be31931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0001e9d4cb5ff824c3a7ca44dd849aef

SHA1
0d2ccdb81ab24f8fc3d2faffc8ff4aefe6110ff4

SHA256
25c2be56ce33cdaf2d25c4d5a18a19711e2e2fbcfa6a2b74e15c7055c45bb806

SHA512
2bc0a7992878a02aa24b94d994151405aadb0d5a7a63fe342e4067183bd12a486ae9fbe0f11ad16455d825cebf89ad47df5c26d326b3cd3c1b2f9f57937df915

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
353a65ce56cee5a641356957ecdda306

SHA1
0fdd6363bd227e114c790efd2b8c80b3e909fc32

SHA256
4c19f31409520b74839a1050681c82e8d18b56247653a1f57a02bf3fb1d3e031

SHA512
8a3347d2d7b3f51ca4a56d4649760e43839efc921ac7fc746fd091b894260fcdde00b03e39dc6f7103e071c68c2025d6fb9ee1db1f385bb14d92f2b5902a54b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b83343692e28637343b618b221125aa2

SHA1
c6a0914908fd68be0958abc13c12020e9667aa0b

SHA256
7f746adb41480f8feaa0e78e8f02689ec979b11f9dad802a55b2f98a8d265d2a

SHA512
6f2c25e0c9ee09fc325040b8c0cf9d091c72669261c636439e3f7f6418d7490956e3401448f0a460747a2f81b6bebbf9cce22dda19b27467ca655d53e6bbfb94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7c45f565098bb2ecd3350f74219b2b86

SHA1
3dffac9559b77c30f4b5128ba56f0f209bffa532

SHA256
f311e79af7eb51d280ee7d38b4d601aa25965e8016a213d3d9ef88e897ebb1b3

SHA512
73955408b17cd48842d270a048784c8a88a1e721aa399d40c0fbe62e2103337d598bdeaa9fbc5016d839dcc41c2d61d7e8d46c3c3b04a25b4a1f1b30226a3a41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9017c8ae257ac33b75e68d4cf8530302

SHA1
f3695b7ba74ffde107179766c901bfa0d90b14d4

SHA256
1c7236017f8854c17a2f140377d1b051c34b22e097cabb0935197c8a79c2e5a2

SHA512
6f7dc575c83780f954d8ca354fb4a5c9ba9039363689da6a1ed4c50f16f6a53ff08ccc8515fc736b059be0488434cac877a69b0c397f0aaf666871ebfedd6b42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a29c79263e270f3bacc3f79b9503bf06

SHA1
b55effa8e90b0df3d02caeeeafa967b143638b85

SHA256
d7618e4be543bbec6ffeb7bf9c4d62e151571283f66f771a790a889df1e220a2

SHA512
b36bdc7eaa80cfe5a7b83cef5ca469d4ffc7666c92fc61e8e4b6e31811f79a212c9bdcbb8352790c69ba07597410f06c5eea19f28109da1af264eb0333c81d09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
270735a3b006b9c67ee768b65806b12d

SHA1
fd9b317e7b86d0afbd437c2701fb4931d09c4741

SHA256
928235d105436cb2051f707d432beb94682218c84716b3a859ff9a6812f398e0

SHA512
36af431acc436f2174d5e7aa94e514fc834b5e44251f5a105ff64e2c097df4062500b98644c01793537f08cddb2100385e70ccd5fc4f8db1a940951bcd23af50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aa6dc31aa0dbf9043962fe3944c1c8d8

SHA1
1d6049cd08956e3b31270d646a02f0b2bf0ccb9f

SHA256
d2e267e13b5a1dd11fe561881b8e6855cb514cddb63cb5a41874342c1edcb2dc

SHA512
b9cd04ef4bb3917f643d6b76a23aeb9189746970e482b224e03ec1ea6ea226b01498bc5790ef196194fabbc54f21d98f8f1f075719606de20bfd74f98bf76c58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bcddf3831ff7b4cf69fe404547571dd

SHA1
8617ff7c797320428682c8ad673a0881b03a2672

SHA256
061075a08392d838c295bcec997f81329bf8c265c691d3f37d922cd814b15f4a

SHA512
0a81fd6830b0928b2f2e7ff53a0b5b074e90228e95cf23b63b78bf4a3fe179e7ca8214ac8f91a54af658e3632a3cb930bf80742826307b58ba755a45d4a316a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4ec9105886c7d2819b72a362c2f3191d

SHA1
14f4011a3c5bf3418a869bdb5add4fd12cfb7777

SHA256
7e50a8c1da06d472ddbbc121ee5936f93d66ec34b8c6bc5fffe6525add1d39c7

SHA512
8817df237ede0619f9856417078483d3631ef4cc4e007d18d77570b07e7f0a345e0c997025cdef210d8e2e29d59eea0a75a72944e9bf67e13c3552bfc25706d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75547e0e6d6dfc7241958b5db998e1ba

SHA1
f9d2369fecde4e05be0d1b42af648ac6fd0259ee

SHA256
86496923b55937be193cd521877ff860e1ba568725298d5317fad62a9f514e1d

SHA512
4969bf33ab32d26c877394111f68f7bed1d9e645c3da803619ce9d75ecf0dc1e3b364673cae97f17807666d42685c69d5ed42a5e879f7526803bcb7b3941cbac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2dbd0907c2fc37e6ed59202a0f9e3552

SHA1
d4dff084de7967d4901c5e81cfbaf3019b4a2c4b

SHA256
5649a8595683694f757219ed9ed7b5f5d9343c5bede8586542947cec82ed2b38

SHA512
ac46d1ad849ad80eeb8adfada56664ebe42c9b15ac9ec4cdf1c113b63374c53c5b0d3bc7a4d59d6f9a8bea666e691d7084728e62fe3ffa2588420b4ea73d203a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8242cb855d10dc33ab0f75a02454996b

SHA1
c4ad38fe917077595606ca79397f88a632fc4c83

SHA256
9fdb78cfa3cd04fe28b6df98232f835afddb64087c49ddbcfd6fd43274d20f03

SHA512
ddcb853a8b6c043ef1f15b116c028b3abeda1a9321741315cff6481ac2dd1b1a77a6cd15a34ae9f4de1703f7c400020617ef91dcccd6f42be99c8350d449ba73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d37da3b48d264e1d48bc55694091959

SHA1
78a6a36c621f1d09730707a466cf7cb8fe3ed0ac

SHA256
d90d9f61a2d0c85b6d7b8a262d86c39f2f791d8ed02bf0ba1cbfe1d1c204e370

SHA512
552560c3325a8d76d459ac665c148b7280fa08be2815cc3dee941b8e77715fbe31a4ef8042e702eadb1fe8a81f5002f4cc652e372b707df15316d7006dad04f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b6e7aacb73014af7c522699ff9b1319c

SHA1
9a85633964802a4cabf99911704f08c604f29d8b

SHA256
098d410641e80d0c6330b362496878e55832abd73ff834904bc9fc241a251845

SHA512
5f89cf2d953296ca7e60fac21c14df64badba3ca18513bcb6c8c5e4f123340a039efdd2004caceb13e6ea59ca7ba4c1e3da55e609442b094f281972c8be960e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dcc0f105134b259ab5ce648dbf46f995

SHA1
9bad9086a6d6574723e97bed9080ef442a5d5f85

SHA256
2bf332c28e33c306d2db855be84c37004b0e5332ca65609a31f6cd4196b2d5c6

SHA512
13d74d46b4652e621096f7fb67a72f64d8a7d1d018fa88d56e67f348210cc7719379f074b059fe7cc42becd8e04683862bfa27dd62787abe5a57707dddc7dde6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67ba2b4f415d04a1a1ea26ee61dcb48f

SHA1
7a82d067c285f3b82ef7bd339093b5f70aa938dc

SHA256
1a04a193d2cde2068d1bfe8625f23d4a101a3764923f510ab5235056be4cb77f

SHA512
8b8c1f6cbeb7ac1b56165e4a22369f3bd8057f9154213a6cd5edb8504ceda01d451a17ab956f87970c560eefd9ef804df2fad5418e456a7b4112333eaff94595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d52eb457e683ff92480cfc7322f93bd6

SHA1
6a8f4eb5175bf00ee5dd9cacef66eb49f392a9b4

SHA256
b2c6c43372f46f4389ceb57e3a3887628fee1cc4309519c31432653e17146ed2

SHA512
b7c0994dcf9aa87fe38faf91aaa04707a20b75e121ce1628b4d0805a74c68b99715744c77b803da8e9326ce3db35f30f1fdbf3c720e2cfaca519b79771d5bf3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
126bf48e2e181347049ef8bb351d6ea4

SHA1
f4484e57d3a10cf4324006b7c1c462803c9852d9

SHA256
e1272cc33b8125e61e7e75de790e7b743ae8fec7e1f3ecef711b35381cac243f

SHA512
b6e8fd85f408cf926d9432f4e22ee68d66dcffad2cf8e3aad71f85a27b7ba699e2eda6e9b2f0b59bbdd731cb28de147ae8c754341a2d043cad38c137a2bb3578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f9d5cea3367ff559c5fcbd35c3d28378

SHA1
15838f9c1a3cd3c8d7df26bce8fac95267ed10af

SHA256
58cbbdf4271db87c70580c686168715ba556833b38421ccdca99cd9f54807c91

SHA512
88c8f5c530386917c5f8234116871406835f3707ceaabe602ef6beef92fe1b98a8930919e338e4202209655072eb1a943eb36fc3021dc7563c8982afc1ca0519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
035e038ae654a78c0aacf2b040a00766

SHA1
ae23322441e56441f69bffe11991ffb3aa96d3a9

SHA256
7d7149fad73fd1da21bbb8c490ce958e628a994d92bc08c27c04d82a176aa69c

SHA512
7c7bb00c6b150e79974a784198952377fb4de8904b140b1af59782ac5c0d5599b3730bd8e59bee2a4c39a59c2f33848bc563f7e015ccfe1ae78366a2d88d8318

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
09b0355df94f0d28fe518994e1602709

SHA1
8c34b36ff1681159e45c1f9cfd22d54326638696

SHA256
a699efcb220321a2e51bb22895002056da4407aed9651bf53de52b89ecb31de3

SHA512
5ec445c81669210b3fc3dc4f6ba35df2ef2c18ff537247263991b0214efacbc0a0c5d860beca19e569dcca756d37ba6813ea3a75b8b46339b1f6f6e8a5148a25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7a2668f7ba8fae20665047fd29ce610a

SHA1
710069ec79c13b9017796f7b40809ac90906391b

SHA256
52bf1294b33fcc2bae3def932281f70ee5fb5e8047f15d600887d06da25eac0d

SHA512
b2a5c2133694f9eeeb3a061e7dc801e711d8456235b884aa140160ff0b9c19448acd3d4840d5a58eeec25b9bbbf2a2369d13ac643ed81ce16b01b4414d710ee5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d54739314564eb377f94d7b7eae4924d

SHA1
1f5af7033d1a46df10cad227934a0e3810c323ad

SHA256
ea6a70d460f1b7e2409818e203f3a88e0293bf90f2e009213219e91f039d28d2

SHA512
57832c4038c9915228e36f6c7160c46b6718e8210405e96c7b05eee9764bdf2e0bfa69734a786aef3b05a176347e318687b3c074577c655561c393b921891cbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ed4fff5739c78ccde8a3e091342a840c

SHA1
00884b36533a665d18b10c40bef12114de35ea70

SHA256
80bc87372f6d359c39908a11ba75a6d58b0e6d01062b522980f9e4092d611357

SHA512
6a5c0118163352aee000490620b1b3270f5d0c0971527ea817f9a1c2225e0d4bf19a901bf30836d74fd58063a710512cbeb922d497c223cba416a7c39e041afd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d976e7cc-4a46-4e57-a0e9-2132f733fa59.tmp

Filesize
9KB

MD5
1e0eba70585bff0dd14d9673e75563cf

SHA1
1b00c3b23c9b26f529e1c11c326cb67adcce75ca

SHA256
07e1b353b237f594341ee618846417653a88cdcfc6aa7107986f9890a631cb8c

SHA512
bdf3bf1a993770ac5af8dcf5ccb7feb85bcb383a4c661dd41381d37f5451cec6ee5b2a1f1c65522a2b68a8f58d10b574db606822ea3df32d92e908c00fd41b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
c9fc167fd60ce142222cfc38ab6de0a5

SHA1
e701f8950f5a9972c9ad2763c746c9caccb21687

SHA256
88cc47aa76f97d7f3ffc9a2ea594b08b541ccc765d3e2bf7863d34c1caa133b5

SHA512
4d7fb30b7a44612a23cb68874bf9f6b75da53ffdb830066f980755415ec6ffb310bdb5249800b593fd8e3f74f03615387e54e4c329fff2b08c66a3978345526b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
b391937ca09824e6f297c504c436597f

SHA1
756b445bde2a024468b0bf5fe3662dd461e480d3

SHA256
f9d106f868c9099dd237369e47db46424773cc84acab7b6627febaa7dadf55e1

SHA512
b5d76f913ff67af5b710e7557cde2f7df0b9ced140bee23a4c38609fbb379094a5f40c614523f957cef22c42d9efb6170c1e794da20850ddfc8de47c552f43e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17923185f44a9c87ffc948a0e0d8d914

SHA1
dc28f57c13b068cce7748e63b667d88f285f9e87

SHA256
7c5eac0fa43bb2861db81c2a6663e9849a2b1812fad9053c8f5c6e7c2e49ebda

SHA512
5dbb11a90c2d66a9f87870e878370a3f378ec338ed117e124a3d3dddaa0f2adb8b42fa16d6a9197fff2df4e428ef49c823e46576c6c6ce4110c9d551d1fb463d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01fff31a70e26012f37789b179059e32

SHA1
555b6f05cce7daf46920df1c01eb5c55dc62c9e6

SHA256
adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

SHA512
ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BdDDhoJ5ODmV.exe

Filesize
197KB

MD5
9aea7117bf08f34186db7a1049fbb959

SHA1
35189cd5a66b5dbd7c0b5da42497f829585988d0

SHA256
65fa0b7a03e34182a829f8dceb104c49e5b237ade3e838ad93f98a64af6247f4

SHA512
01e042b3a3d8c5be41f1a68708a07a29df60e2318a3dbcbd62705e6428d0dd1214a9d580dacf1961d4bb26f6b2486f701a3d15773656edda1d5432a9376cc250

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cl0moygh.ukq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
d736427dd2ccd3f8a536d5cf69827f6f

SHA1
20db2442845c8559801de82434b3af89b6545c4a

SHA256
0463f6a7f96dd95ae2352e658a17210f6242fec676cacd4c9a8042e1b040560e

SHA512
822bdf46a2f950f42a8c17afe9cf1ca27685fb44e180966871df2f2da08b872a10e72e5c892b901d3c1a9f2421ed91ac14b452d0d87fff8146e3839740fb0112

Download Submit
memory/1448-146-0x0000026134FE0000-0x0000026135002000-memory.dmp

Filesize
136KB

Download
memory/1688-286-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

Filesize
56KB

Download
memory/1688-305-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/1688-419-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/1688-439-0x000000001C370000-0x000000001C378000-memory.dmp

Filesize
32KB

Download
memory/1688-140-0x0000000000750000-0x0000000000788000-memory.dmp

Filesize
224KB

Download
memory/1688-276-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/1688-362-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/4348-14-0x00007FFCC03A0000-0x00007FFCC0E61000-memory.dmp

Filesize
10.8MB

Download
memory/4348-9-0x00007FFCC03A0000-0x00007FFCC0E61000-memory.dmp

Filesize
10.8MB

Download
memory/4348-12-0x000000001C8D0000-0x000000001C920000-memory.dmp

Filesize
320KB

Download
memory/4348-15-0x000000001C940000-0x000000001C952000-memory.dmp

Filesize
72KB

Download
memory/4348-11-0x00007FFCC03A0000-0x00007FFCC0E61000-memory.dmp

Filesize
10.8MB

Download
memory/4348-16-0x000000001C9A0000-0x000000001C9DC000-memory.dmp

Filesize
240KB

Download
memory/4348-13-0x000000001C9E0000-0x000000001CA92000-memory.dmp

Filesize
712KB

Download
memory/4384-0-0x00007FFCC03A3000-0x00007FFCC03A5000-memory.dmp

Filesize
8KB

Download
memory/4384-1-0x00000000004C0000-0x00000000007E4000-memory.dmp

Filesize
3.1MB

Download
memory/4384-2-0x00007FFCC03A0000-0x00007FFCC0E61000-memory.dmp

Filesize
10.8MB

Download
memory/4384-10-0x00007FFCC03A0000-0x00007FFCC0E61000-memory.dmp

Filesize
10.8MB

Download