quasar | hxxps://github[.]com/quasar/Quasar/releases/download/v1[.]4[.]1/Quasar[.]v1[.]4[.]1[.]zip

Analysis

max time kernel
1101s
max time network
1102s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-11-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/quasar/Quasar/releases/download/v1.4.1/Quasar.v1.4.1.zip

Score

10^/10

quasar rizz discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Rizz

Rizz:4715

Mutex

fec059ef-6eb2-4d1b-ab37-e41d3c690e1d

Attributes

encryption_key
7C5DA122248A019413C4F14678EB07245DE843C7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3748-77-0x0000010855390000-0x00000108554C8000-memory.dmp	family_quasar
behavioral1/memory/3748-78-0x0000010855940000-0x0000010855956000-memory.dmp	family_quasar
behavioral1/files/0x000300000000069d-183.dat	family_quasar
behavioral1/files/0x000300000000069d-744.dat	family_quasar
behavioral1/memory/4904-816-0x0000000000380000-0x00000000006A4000-memory.dmp	family_quasar

Executes dropped EXE 64 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exe

pid	Process
4904	Client-built.exe
2476	Client-built.exe
4956	Client-built.exe
4400	Client-built.exe
3864	Client-built.exe
3376	Client-built.exe
660	Client-built.exe
2464	Client-built.exe
2152	Client-built.exe
4808	Client-built.exe
1840	Client-built.exe
1036	Client-built.exe
968	Client-built.exe
4512	Client-built.exe
1660	Client-built.exe
2892	Client-built.exe
4744	Client-built.exe
4404	Client-built.exe
4248	Client-built.exe
5044	Client-built.exe
668	Client-built.exe
3024	Client-built.exe
1808	Client-built.exe
4552	Client-built.exe
1780	Client-built.exe
3644	Client-built.exe
1664	Client-built.exe
4824	Client-built.exe
912	Client-built.exe
2696	Client-built.exe
4776	Client-built.exe
4684	Client-built.exe
1532	Client-built.exe
1932	Client-built.exe
904	Client-built.exe
4680	Client-built.exe
784	Client-built.exe
584	Client-built.exe
3008	Client-built.exe
4780	Client-built.exe
4668	Client-built.exe
2284	Client-built.exe
1816	Client-built.exe
2220	Client-built.exe
876	Client-built.exe
3596	Client-built.exe
2776	Client-built.exe
2460	Client-built.exe
920	Client-built.exe
2884	Client-built.exe
3804	Client-built.exe
3716	Client-built.exe
2392	Client-built.exe
3068	Client-built.exe
3796	Client-built.exe
4044	Client-built.exe
4264	Client-built.exe
3344	Client-built.exe
2508	Client-built.exe
2236	Client-built.exe
2676	Client-built.exe
4196	Client-built.exe
808	Client-built.exe
2012	Client-built.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1112	PING.EXE
752	PING.EXE
2780	PING.EXE
1828	PING.EXE
4648	PING.EXE
4020	PING.EXE
4528	PING.EXE
3480	PING.EXE
4968	PING.EXE
4240	PING.EXE
884	PING.EXE
1932	PING.EXE
2564	PING.EXE
4772	PING.EXE
3936	PING.EXE
484	PING.EXE
4856	PING.EXE
1120	PING.EXE
2268	PING.EXE
2056	PING.EXE
1120	PING.EXE
2308	PING.EXE
4728	PING.EXE
1708	PING.EXE
4240	PING.EXE
3020	PING.EXE
4300	PING.EXE
2620	PING.EXE
3604	PING.EXE
2856	PING.EXE
2728	PING.EXE
808	PING.EXE
752	PING.EXE
2324	PING.EXE
460	PING.EXE
5040	PING.EXE
4752	PING.EXE
3784	PING.EXE
2396	PING.EXE
3500	PING.EXE
1928	PING.EXE
3796	PING.EXE
5032	PING.EXE
5048	PING.EXE
4020	PING.EXE
1884	PING.EXE
1460	PING.EXE
3268	PING.EXE
3320	PING.EXE
4772	PING.EXE
4880	PING.EXE
1900	PING.EXE
2440	PING.EXE
752	PING.EXE
1048	PING.EXE
4616	PING.EXE
4508	PING.EXE
4680	PING.EXE
5032	PING.EXE
4196	PING.EXE
2752	PING.EXE
4192	PING.EXE
1976	PING.EXE
4576	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeQuasar.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 = 66003100000000007c59635610005155415341527e312e3100004c0009000400efbe7c5963567c5963562e0000003eab020000001c0000000000000000000000000000003e4f11005100750061007300610072002e00760031002e0034002e00310000001a000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000000000002000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Pictures"	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 78003100000000004759e5601100557365727300640009000400efbec5522d607c5959562e0000006c0500000000010000000000000000003a00000000005228c60055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 = 66003100000000007c596d5610005155415341527e312e3100004c0009000400efbe7c5963567c596d562e0000003fab0200000019000000000000000000000000000000ea474d005100750061007300610072002000760031002e0034002e00310000001a000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 84003100000000007c5963561100444f574e4c4f7e3100006c0009000400efbe4759e5607c5963562e0000002a5702000000010000000000000000004200000000007df0160044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 500031000000000047596066100041646d696e003c0009000400efbe4759e5607c5959562e00000022570200000001000000000000000000000000000000e78eb500410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	explorer.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier	msedge.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

pid	Process
3320	PING.EXE
2356	PING.EXE
460	PING.EXE
1976	PING.EXE
2752	PING.EXE
1928	PING.EXE
4248	PING.EXE
4508	PING.EXE
5076	PING.EXE
2056	PING.EXE
3480	PING.EXE
4772	PING.EXE
5032	PING.EXE
1908	PING.EXE
4576	PING.EXE
4752	PING.EXE
4236	PING.EXE
3604	PING.EXE
4836	PING.EXE
4240	PING.EXE
4856	PING.EXE
4020	PING.EXE
2124	PING.EXE
1460	PING.EXE
1464	PING.EXE
3796	PING.EXE
4020	PING.EXE
4924	PING.EXE
2308	PING.EXE
1708	PING.EXE
4300	PING.EXE
5032	PING.EXE
4200	PING.EXE
2564	PING.EXE
4728	PING.EXE
652	PING.EXE
1608	PING.EXE
564	PING.EXE
2352	PING.EXE
4772	PING.EXE
752	PING.EXE
1112	PING.EXE
4724	PING.EXE
4636	PING.EXE
4880	PING.EXE
752	PING.EXE
1932	PING.EXE
3480	PING.EXE
5040	PING.EXE
4240	PING.EXE
4604	PING.EXE
484	PING.EXE
1828	PING.EXE
2856	PING.EXE
1296	PING.EXE
1048	PING.EXE
3480	PING.EXE
3020	PING.EXE
1936	PING.EXE
2380	PING.EXE
3040	PING.EXE
2780	PING.EXE
2396	PING.EXE
4528	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid	Process
1868	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	Process
2224	msedge.exe
2224	msedge.exe
2748	msedge.exe
2748	msedge.exe
4772	msedge.exe
4772	msedge.exe
1120	msedge.exe
1120	msedge.exe
2408	identity_helper.exe
2408	identity_helper.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Quasar.exeexplorer.exe

pid	Process
3748	Quasar.exe
1868	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	Process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Quasar.exeAUDIODG.EXEClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exe

description	pid	Process
Token: SeDebugPrivilege	3748	Quasar.exe
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE
Token: SeDebugPrivilege	4904	Client-built.exe
Token: SeDebugPrivilege	2476	Client-built.exe
Token: SeDebugPrivilege	4956	Client-built.exe
Token: SeDebugPrivilege	4400	Client-built.exe
Token: SeDebugPrivilege	3864	Client-built.exe
Token: SeDebugPrivilege	3376	Client-built.exe
Token: SeDebugPrivilege	660	Client-built.exe
Token: SeDebugPrivilege	2464	Client-built.exe
Token: SeDebugPrivilege	2152	Client-built.exe
Token: SeDebugPrivilege	4808	Client-built.exe
Token: SeDebugPrivilege	1840	Client-built.exe
Token: SeDebugPrivilege	1036	Client-built.exe
Token: SeDebugPrivilege	968	Client-built.exe
Token: SeDebugPrivilege	4512	Client-built.exe
Token: SeDebugPrivilege	1660	Client-built.exe
Token: SeDebugPrivilege	2892	Client-built.exe
Token: SeDebugPrivilege	4744	Client-built.exe
Token: SeDebugPrivilege	4404	Client-built.exe
Token: SeDebugPrivilege	4248	Client-built.exe
Token: SeDebugPrivilege	5044	Client-built.exe
Token: SeDebugPrivilege	668	Client-built.exe
Token: SeDebugPrivilege	3024	Client-built.exe
Token: SeDebugPrivilege	1808	Client-built.exe
Token: SeDebugPrivilege	4552	Client-built.exe
Token: SeDebugPrivilege	1780	Client-built.exe
Token: SeDebugPrivilege	3644	Client-built.exe
Token: SeDebugPrivilege	1664	Client-built.exe
Token: SeDebugPrivilege	4824	Client-built.exe
Token: SeDebugPrivilege	912	Client-built.exe
Token: SeDebugPrivilege	2696	Client-built.exe
Token: SeDebugPrivilege	4776	Client-built.exe
Token: SeDebugPrivilege	4684	Client-built.exe
Token: SeDebugPrivilege	1532	Client-built.exe
Token: SeDebugPrivilege	1932	Client-built.exe
Token: SeDebugPrivilege	904	Client-built.exe
Token: SeDebugPrivilege	4680	Client-built.exe
Token: SeDebugPrivilege	784	Client-built.exe
Token: SeDebugPrivilege	584	Client-built.exe
Token: SeDebugPrivilege	3008	Client-built.exe
Token: SeDebugPrivilege	4780	Client-built.exe
Token: SeDebugPrivilege	4668	Client-built.exe
Token: SeDebugPrivilege	2284	Client-built.exe
Token: SeDebugPrivilege	1816	Client-built.exe
Token: SeDebugPrivilege	2220	Client-built.exe
Token: SeDebugPrivilege	876	Client-built.exe
Token: SeDebugPrivilege	3596	Client-built.exe
Token: SeDebugPrivilege	2776	Client-built.exe
Token: SeDebugPrivilege	2460	Client-built.exe
Token: SeDebugPrivilege	920	Client-built.exe
Token: SeDebugPrivilege	2884	Client-built.exe
Token: SeDebugPrivilege	3804	Client-built.exe
Token: SeDebugPrivilege	3716	Client-built.exe
Token: SeDebugPrivilege	2392	Client-built.exe
Token: SeDebugPrivilege	3068	Client-built.exe
Token: SeDebugPrivilege	3796	Client-built.exe
Token: SeDebugPrivilege	4044	Client-built.exe
Token: SeDebugPrivilege	4264	Client-built.exe
Token: SeDebugPrivilege	3344	Client-built.exe
Token: SeDebugPrivilege	2508	Client-built.exe
Token: SeDebugPrivilege	2236	Client-built.exe
Token: SeDebugPrivilege	2676	Client-built.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

pid	Process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
3748	Quasar.exe
2748	msedge.exe
2748	msedge.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
2748	msedge.exe
2748	msedge.exe
4904	Client-built.exe
2476	Client-built.exe
4956	Client-built.exe
4400	Client-built.exe
3864	Client-built.exe
3376	Client-built.exe
660	Client-built.exe
2464	Client-built.exe
2152	Client-built.exe
4808	Client-built.exe
1840	Client-built.exe
1036	Client-built.exe
968	Client-built.exe
4512	Client-built.exe
1660	Client-built.exe
2892	Client-built.exe
4744	Client-built.exe
4404	Client-built.exe
4248	Client-built.exe
5044	Client-built.exe
668	Client-built.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exeQuasar.exeexplorer.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exe

pid	Process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
3748	Quasar.exe
2748	msedge.exe
2748	msedge.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
2748	msedge.exe
2748	msedge.exe
4904	Client-built.exe
2476	Client-built.exe
4956	Client-built.exe
4400	Client-built.exe
3864	Client-built.exe
3376	Client-built.exe
660	Client-built.exe
2464	Client-built.exe
2152	Client-built.exe
4808	Client-built.exe
1840	Client-built.exe
1036	Client-built.exe
968	Client-built.exe
4512	Client-built.exe
1660	Client-built.exe
2892	Client-built.exe
4744	Client-built.exe
4404	Client-built.exe
4248	Client-built.exe
5044	Client-built.exe
668	Client-built.exe
3024	Client-built.exe
1808	Client-built.exe
4552	Client-built.exe
1780	Client-built.exe
3644	Client-built.exe
1664	Client-built.exe
4824	Client-built.exe
912	Client-built.exe
2696	Client-built.exe
4776	Client-built.exe
4684	Client-built.exe
1532	Client-built.exe
1932	Client-built.exe
904	Client-built.exe
4680	Client-built.exe
784	Client-built.exe
584	Client-built.exe
3008	Client-built.exe
4780	Client-built.exe
4668	Client-built.exe
2284	Client-built.exe
1816	Client-built.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

explorer.exeQuasar.exe

pid	Process
1868	explorer.exe
1868	explorer.exe
3748	Quasar.exe
3748	Quasar.exe
3748	Quasar.exe
1868	explorer.exe
1868	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 2748 wrote to memory of 2932	2748	msedge.exe	79
PID 2748 wrote to memory of 2932	2748	msedge.exe	79
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2680	2748	msedge.exe	80
PID 2748 wrote to memory of 2224	2748	msedge.exe	81
PID 2748 wrote to memory of 2224	2748	msedge.exe	81
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82
PID 2748 wrote to memory of 3260	2748	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/quasar/Quasar/releases/download/v1.4.1/Quasar.v1.4.1.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc687a3cb8,0x7ffc687a3cc8,0x7ffc687a3cd8
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6136 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,18180256686883493263,13014811373486264008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1188

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3748
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
  2⤵
  PID:2464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1868
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isObAbxfCisB.bat" "
    3⤵
    PID:4008
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:904
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3268
  - - C:\Users\Admin\Downloads\Client-built.exe
      "C:\Users\Admin\Downloads\Client-built.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2476
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeIykIJWZjvH.bat" "
        5⤵
        
        PID:4568
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4496
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1900
      - C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYAcfDIqpyrY.bat" "
        7⤵
        
        PID:2108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:4924
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iY1bKpaKnrc5.bat" "
        9⤵
        
        PID:808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        
        PID:2564
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I2dNltM3Ge7j.bat" "
        11⤵
        
        PID:1140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2308
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dis83HuNcxBJ.bat" "
        13⤵
        
        PID:3528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:3480
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MrP9Kg24wiqa.bat" "
        15⤵
        
        PID:808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0z7QcoWIhveG.bat" "
        17⤵
        
        PID:564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:4236
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QXa0l6tooGr0.bat" "
        19⤵
        
        PID:1464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5040
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akmT4SfIWM0z.bat" "
        21⤵
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4528
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TdPtzu7067OQ.bat" "
        23⤵
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2780
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\onuo89ycsXch.bat" "
        25⤵
        
        PID:5008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4192
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\if40gIEDvGXv.bat" "
        27⤵
        
        PID:124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5032
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N47fQEJxpaeS.bat" "
        29⤵
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        Runs ping.exe
        
        PID:1464
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\38eAk6kwCFJv.bat" "
        31⤵
        
        PID:4616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1120
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cfLBHtUeIBxy.bat" "
        33⤵
        
        PID:2632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1976
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X3KKgrt79PgX.bat" "
        35⤵
        
        PID:2356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:2040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        
        PID:1296
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMV1yICTX9kz.bat" "
        37⤵
        
        PID:4420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:1408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        Runs ping.exe
        
        PID:1608
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acm0lPawi1xV.bat" "
        39⤵
        
        PID:1204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:4676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1928
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksHNSIW8SMql.bat" "
        41⤵
        
        PID:1380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:3604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2324
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SrPjqklknTNW.bat" "
        43⤵
        
        PID:1508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:4528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2440
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        44⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wdlgtw69jJ2e.bat" "
        45⤵
        
        PID:2124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        Runs ping.exe
        
        PID:4836
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        46⤵
        
        PID:412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s9GWTFyjmzcm.bat" "
        47⤵
        
        PID:1376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        
        PID:748
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        48⤵
        
        PID:4620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jfoctYvSjpnW.bat" "
        49⤵
        
        PID:2076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:1028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2728
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        50⤵
        
        PID:4528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8KdpTw1tSz1l.bat" "
        51⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:4408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        Runs ping.exe
        
        PID:4636
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        52⤵
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGkHn9rL82uX.bat" "
        53⤵
        
        PID:2704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:1120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2268
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        54⤵
        
        PID:5032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RTxfAWug9NaQ.bat" "
        55⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:4480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3020
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        56⤵
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3VVM0q0MWOCo.bat" "
        57⤵
        
        PID:3940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:4408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        Runs ping.exe
        
        PID:2564
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        58⤵
        
        PID:4200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h1KAALLIk6JU.bat" "
        59⤵
        
        PID:2744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:3360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1048
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        60⤵
        
        PID:2728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eS4xeDQ5r55R.bat" "
        61⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:4924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2564
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        62⤵
        
        PID:732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMGQbFYDya6e.bat" "
        63⤵
        
        PID:4752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:1208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3936
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        64⤵
        
        PID:1360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DR7WBggs4Ctl.bat" "
        65⤵
        
        PID:3172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        
        PID:2268
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        66⤵
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DazgLIh7IbLC.bat" "
        67⤵
        
        PID:2616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:5096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5048
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        68⤵
        
        PID:2632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ya1QsURyyYzB.bat" "
        69⤵
        
        PID:760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:1460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        Runs ping.exe
        
        PID:5076
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        70⤵
        
        PID:4536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jRFYXKXFjYVK.bat" "
        71⤵
        
        PID:3392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        
        PID:1480
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        72⤵
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H3H3AGJtAlcO.bat" "
        73⤵
        
        PID:4240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:2128
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4772
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        74⤵
        
        PID:4192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LXqaaUqSucSk.bat" "
        75⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:2764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        Runs ping.exe
        
        PID:4724
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        76⤵
        
        PID:2128
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ExrAsuMj2oVm.bat" "
    3⤵
    PID:5088
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2220
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      PID:4188
  - - C:\Users\Admin\Downloads\Client-built.exe
      "C:\Users\Admin\Downloads\Client-built.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSDC8e13OgMi.bat" "
        5⤵
        
        PID:2356
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1816
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        
        PID:3372
      - C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYoBCXyxoZSx.bat" "
        7⤵
        
        PID:4856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:4248
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xjm35vMNVqt1.bat" "
        9⤵
        
        PID:200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1708
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYgUgArPfsgz.bat" "
        11⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:884
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hfJ9SSDOjvQZ.bat" "
        13⤵
        
        PID:5008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4728
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaU1SOxnq6yb.bat" "
        15⤵
        
        PID:908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:3040
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoZXZcclweM9.bat" "
        17⤵
        
        PID:3804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:484
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sASQxMnfZd6v.bat" "
        19⤵
        
        PID:4468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4508
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:2696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYrp7exBWIFx.bat" "
        21⤵
        
        PID:1472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:752
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zO0GstALlKL2.bat" "
        23⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        
        PID:2512
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoDVmOJcrSAk.bat" "
        25⤵
        
        PID:908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3480
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5BUC83wkq6DK.bat" "
        27⤵
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2396
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NN2cylGnCgl5.bat" "
        29⤵
        
        PID:2704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        Runs ping.exe
        
        PID:652
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UhEk2bLIWfAO.bat" "
        31⤵
        
        PID:984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1828
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S8AJTrPXoIKe.bat" "
        33⤵
        
        PID:3504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2196
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4576
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IF1bEayJjZNJ.bat" "
        35⤵
        
        PID:3316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4772
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psVDQqUAGBIQ.bat" "
        37⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:3528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4196
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQcveKq661UQ.bat" "
        39⤵
        
        PID:4932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4020
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jrvTyTcJ7250.bat" "
        41⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4856
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        42⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pp24ArDSASSr.bat" "
        43⤵
        
        PID:4812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:3020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2856
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        44⤵
        
        PID:1012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7SkN4xMxmxmd.bat" "
        45⤵
        
        PID:4872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:2632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        
        PID:2340
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        46⤵
        
        PID:3816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7vhKf2oWhHBf.bat" "
        47⤵
        
        PID:4296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:2396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:752
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        48⤵
        
        PID:3972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiFJJlS8LrPC.bat" "
        49⤵
        
        PID:1376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:4576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        
        PID:3936
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        50⤵
        
        PID:3372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ar9Nrqn9E1GK.bat" "
        51⤵
        
        PID:4676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2752
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        52⤵
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uZsPdhOvIbKW.bat" "
        53⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:4336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        
        PID:4424
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        54⤵
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmhGK2P5lWwy.bat" "
        55⤵
        
        PID:4836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:4588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        
        PID:4020
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        56⤵
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Av6m4k0pY1sI.bat" "
        57⤵
        
        PID:396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:2128
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        Runs ping.exe
        
        PID:2124
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        58⤵
        
        PID:3940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g9kaAEDU483p.bat" "
        59⤵
        
        PID:1728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:4480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3320
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        60⤵
        
        PID:1828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9tJSKi8givhB.bat" "
        61⤵
        
        PID:2124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:4040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3784
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        62⤵
        
        PID:3268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgY2JpIcOJHP.bat" "
        63⤵
        
        PID:4064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:4300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        Runs ping.exe
        
        PID:2356
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        64⤵
        
        PID:4872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cfViAJB2TjrG.bat" "
        65⤵
        
        PID:3500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4300
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        66⤵
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7VSD9sMFGWFF.bat" "
        67⤵
        
        PID:3920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        Runs ping.exe
        
        PID:1936
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        68⤵
        
        PID:1120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWF14R4VQZFG.bat" "
        69⤵
        
        PID:2764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:4020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        Runs ping.exe
        
        PID:2380
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        70⤵
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pj0Mfo6MZKf7.bat" "
        71⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:5072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4616
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        72⤵
        
        PID:1316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGOjS27yBdWw.bat" "
        73⤵
        
        PID:1208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        
        PID:4072
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMVqoq634BDs.bat" "
    3⤵
    PID:3580
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2764
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      PID:4416
  - - C:\Users\Admin\Downloads\Client-built.exe
      "C:\Users\Admin\Downloads\Client-built.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:660
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W4c3sSFg1DAT.bat" "
        5⤵
        
        PID:4588
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4244
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4240
      - C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiTtL6z5x2uu.bat" "
        7⤵
        
        PID:4232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1120
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L00HyQNsVSkW.bat" "
        9⤵
        
        PID:2132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:4604
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n2CO0nIYsSeg.bat" "
        11⤵
        
        PID:780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:752
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jhB4fufnF8ty.bat" "
        13⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:460
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkqsL06D9mVD.bat" "
        15⤵
        
        PID:3560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:3480
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwgRFAiDw9Be.bat" "
        17⤵
        
        PID:4608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:808
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v6MsMoK81UeT.bat" "
        19⤵
        
        PID:5072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4680
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zRgVQhWdUF35.bat" "
        21⤵
        
        PID:1204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        
        PID:4932
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQNLijeJRRoG.bat" "
        23⤵
        
        PID:4236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tyuqdc8XRVe4.bat" "
        25⤵
        
        PID:3372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        Runs ping.exe
        
        PID:1908
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqjA2LWh3LgB.bat" "
        27⤵
        
        PID:5076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3796
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sHlaFZJ4a9bX.bat" "
        29⤵
        
        PID:1548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        
        PID:464
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zd6zwEUOFOga.bat" "
        31⤵
        
        PID:3292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        
        PID:1464
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tr87mZRfEoBz.bat" "
        33⤵
        
        PID:2856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4752
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\prw7puN1EQtn.bat" "
        35⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3500
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z1zUnzdTiJUw.bat" "
        37⤵
        
        PID:4080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4968
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2CmAE5LBlg8C.bat" "
        39⤵
        
        PID:2352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:4676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4648
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BisF7rYq6qYN.bat" "
        41⤵
        
        PID:4232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:5040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3604
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        42⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N8rVN4R7TKpW.bat" "
        43⤵
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:4848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5032
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        44⤵
        
        PID:1188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L25H328PiJc9.bat" "
        45⤵
        
        PID:3676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:3292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        46⤵
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MLXk8pA81F9s.bat" "
        47⤵
        
        PID:700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:4832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4020
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        48⤵
        
        PID:4456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FVhZVl5VNbs5.bat" "
        49⤵
        
        PID:3868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:2308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        Runs ping.exe
        
        PID:1296
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        50⤵
        
        PID:2528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i3XmOhbOaQNR.bat" "
        51⤵
        
        PID:3480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:4896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        Runs ping.exe
        
        PID:4200
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        52⤵
        
        PID:1720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8oVmsmrOQTuS.bat" "
        53⤵
        
        PID:3812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:4832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        
        PID:3244
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        54⤵
        
        PID:792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yvlL8BBSbNwz.bat" "
        55⤵
        
        PID:4636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:1204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1112
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        56⤵
        
        PID:4204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bhj3l6Xy60E7.bat" "
        57⤵
        
        PID:4952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:4752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        
        PID:2856
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        58⤵
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAnuyNOIpPNa.bat" "
        59⤵
        
        PID:4232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:1112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1884
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        60⤵
        
        PID:3528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mP8fAtB8xm95.bat" "
        61⤵
        
        PID:4616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:4464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        Runs ping.exe
        
        PID:564
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        62⤵
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KvTD6Znhhkhe.bat" "
        63⤵
        
        PID:3600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:4728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        Runs ping.exe
        
        PID:2352
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        64⤵
        
        PID:564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCVWL9QY9GlM.bat" "
        65⤵
        
        PID:1884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:2040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        
        PID:4728
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        66⤵
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\da23hFKtRb6x.bat" "
        67⤵
        
        PID:884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:4588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2620
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        68⤵
        
        PID:4040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deYUxuZ1nltG.bat" "
        69⤵
        
        PID:4072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:5096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        
        PID:5076
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        70⤵
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Weu2h5q9tOSd.bat" "
        71⤵
        
        PID:4424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:4596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2056
        
        C:\Users\Admin\Downloads\Client-built.exe
        
        "C:\Users\Admin\Downloads\Client-built.exe"
        72⤵
        
        PID:3504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M76c26BsiCaM.bat" "
        73⤵
        
        PID:3392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:4752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6c43f713-6b25-4bd0-9398-f7bff022f7ac.tmp

Filesize
10KB

MD5
d37e8d885223f4f4e5c370aa86a2c52a

SHA1
b98611f7a6bbc45e5b676574155c000dd16d4c49

SHA256
a55c78b1c0d5f2d9832c5ccf38262a51614c4c79d54ff4d15952427bc2d4ecfb

SHA512
ac0e86b54c064362ebdcff64b796cf4df45331c9b87a782e9376b2d1f5af562e677f52ded7f20a0f4efdb9a5322ed744b46da7147ca47c9b8953f72c5ccf0cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007c

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
f1557a1a3051ed943b04527cc0da8f00

SHA1
8238bf389ee802643992e650d42adb10429b3e79

SHA256
846b43149a6fb993918cc6202bb8dd9b101154bfa739c39f5fed0b6e30e19416

SHA512
f3eb3f80c73252c1c05bd9d5e28d33e095304e7839f3ccde881bbf3d9ee5af0d09aed560379f1c085913b0f3fde3c27d700ba01cfdfee0998af32e5041b65e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
6c641808d9a7bef31b2c347b68352934

SHA1
c82b80b4d06faaeb00930e3a395109f6149f03d8

SHA256
cefef0697174d87617e638c47d164ea226ec08feadc5ecc0e6665d2b14e7b3fa

SHA512
5add6547967f7b76008627946949a46846fce1b08b82751a4712773a0d9a19ac52c13d21346e788af71529ecc08692f1a696f7ae5a9d43e9b2cce5e321acbf43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
bde57f537d51e6405f64e33553fef112

SHA1
f53bb9cc2a95060ec69bb388dff9e0cd32299ad5

SHA256
6e0969c46ab17e73ce5c22ea673dc87b0585ec0cac1e269d302a0548a7b77177

SHA512
aa8728e172aedfb4c5766aae01227f5d7d639581cca27083b7d7455c554cebf5febbe8a4aba91ec4df7a126e297a7a18103930b497074ae06ef4d6b8caf5d75d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe5c26aa.TMP

Filesize
594B

MD5
c230c876f4a1f1935488738729950704

SHA1
894c18e71d4a56f6491f9d4bd4bb2560724216a2

SHA256
887eec6a33a8c7baa5acd03b6db4358a9ba69229ddf83bcabaafe1c5c0d566cb

SHA512
871f34c82d6f6a211ff150d07e69390fc8a71dcb2a2db39f2a336f64f240b54be7130a087ac7d0f839175f48ad33110ea38f832a7c592c44417233f65c379711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
478B

MD5
a1eb72b23e7d68fa420a4f2b70a6f3d5

SHA1
1f97a54a8645688bcde99743ddebc3826e786854

SHA256
2f0991b5ab7e3f87ec11f44a4e27ac60741952f0f493bcc952abdda8163e236d

SHA512
b7d973dc1a8eba4f91f462f40561932d71f6d4a2a70badd30c83cbed2df269d0962b582a22e632a32dded6e9db85fc821969482aa5f308e4c9119fdbc528ca5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d1403a1d9a9df451299d3ca6591c581a

SHA1
6496f8a4c929f42d53348728149d4789006176df

SHA256
e7862f68ba97345f608d1f251ade57e865785d6ad561a6629c76c8117057cebc

SHA512
af7893c793003dbe8ec488a2c3353a3627084ad4842407fda39f52b18655b75a3a1ac9714a399bdfcf075e5efa3d547ab127dfd5f8dccb47d7152055cb805302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
90bfcf20a478a45221a9e19168f1f798

SHA1
14c926dbba6607f5aa477b918569605f383b80eb

SHA256
24384d4537e94dea350a0763aa102d56e787758597be2ba90d8c8a058469f19c

SHA512
c7b26ab4ad5d1dec084a23f9157374c81f29a406936d9adb2855fe1494c602a119d307bdc679d3166848c2e8fff0d414eb04d78cc4c51ca95ebcdcc86f9f37db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae77da837984832663418b119a47e892

SHA1
f6d3c31c2bf00164b2a262629b5d5a2929e64080

SHA256
f774a2038e0a5b2088830a34e4ff3ee77752daf70bfcc7cd973fa7990850a965

SHA512
a917aaad5bf88b88d4718ae644900935681edfdba6c711c679e8968b6023e38713751e87444028c54a569a9c353dd809fe1d3a5693172eac4af8a91d2ea635fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d457a68850edcda9158b5acff4b8a29

SHA1
c13a4362417693ab7c45cc15319339fbd68184b1

SHA256
7c781c62773fa1adac964492136c1a2ed51a68d8d5bdcf148de681b1ea6c17ae

SHA512
2405f278eecb174542117dc880f79366c5b5902789e9eac7c07232f2b874cb0beefef4537234e507b9bf20373cee14df5ef4e54685cdb0b340da6a117bf8449d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
607a5b5aa2bfc8006e7fee313c84543d

SHA1
0fc7099aef33feb90ede3a39e0dc272ee62ecdd3

SHA256
5972d742e35f50f29b823ba6982bf10e58d7c18d20e86251c720cbabbb43b99c

SHA512
43b64f091452ffa4bea225a969ccd96fa105903111cdbe8ad296fde131cd89d8b4d2bad69247f9f5bcd80805d15e63aedcbd3c22bab74559015da3cb3c5f0012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c1bdc.TMP

Filesize
48B

MD5
79be31dc1f0393f581dd806c93d991a2

SHA1
e906ff6874c3cf09562e204245929fea3ef8833c

SHA256
6ce88602b4d6d2c4d428d356a15e404bcf5269cf51d85e74c6c0ecbed06ff703

SHA512
ab4003f296be6b3d8727174a66d6983b1ea00ea2618a45f7166703879930713bdbd93eb657c40c49d54a0f66afa832387c7bca88ac52cdecfd8eb0da886d0828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
d798d7c92bf4eaa5c0ca84ee8347a3e9

SHA1
40536a00277012ba370ebd52f08002c25c655344

SHA256
d059e3c2bd7e5d817e8935efb7515e3ffb38b7e794b7b7b637899b4d94b23e00

SHA512
ad4641303f175be34ce2929eec9d9fc8b28343ad144e965be9329d9d42dbc3bf9d4b99596e2036b97b3d7a92a6237fe91ae17dc33a3afc5995a25cb7e09b8941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
121c1a303dcd5fe71ee33a79f6e8796d

SHA1
30401bd76e8b24a3f18f744d3e75599ce87f7347

SHA256
aac2b08e2d3059ae266c8a367e06b31bacb71ffe451e035efcd36c6faa11ee7a

SHA512
431818993cfe76c1b3b7b8b7f218a08f84120c6fe3ade8fbbcee8a71eac8507424e1f896e58dec949418db2dbdb8794b54458ab0e5b93375048ccd50be3b853b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8df7e9d97922df515e016e583cd5202c

SHA1
9fd5c35cbd0e7f157e9aa53d501d26da42167d81

SHA256
bea0cca78025fc89bf0de746f2e9a5c066a37250b8ab979c17d161a7532ace91

SHA512
69c0d20be92d329e0325915ddf33d69fd431bb9ccf24bed55a287f3972bc916d4573bfd4a23bf42afc30e3fe18400e72e5d8582c8b2f9530d0417cae3ff11f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c27f0f6e5fec63cd3f215a5e95e4c93

SHA1
5d8a1c3ffd368a0e40ff67f761eaa8401e0ba151

SHA256
2ecd8d78bb249377952b3f0bf88f24708cd5d0f47bc3480e8ff1fbc18c83303d

SHA512
98bc4cc8ecf6e929069ff47f94c7b2c9f20a765a692f5a695347d12ea1b833cdd5b886bfe91161baa738f001c692392e470728eda216b22b401680ccf3094698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb3f3a3300189ae4d3e3a41b90ac29b0

SHA1
35753efc6d5e4dd52eded0fa6d8a9aeda2b61d7f

SHA256
956231a50312c467c84275c604c1765110f9fc1abc80b53937db87a37aec5823

SHA512
e54d8fb591618d24b40af14d28a318f9120599c8d7a03e21ec3fdf79f577f9524a796ebe455bbf6cfd021313db0f5ce744dcc807eebfd1c0ba1a57a6895a1fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYAcfDIqpyrY.bat

Filesize
200B

MD5
b465333b90bf2697f5c1065649534665

SHA1
f1fe0553c731acf406e08c89bba573971a30065d

SHA256
b0a9c975b775ebb2873d0a4cee6ce411266c6dc1ef62594744644aeb14052d7c

SHA512
c35967ba6c1fe3b092d027c2346ec0d9867f5651d4bddea54b3478489ff02429da70c0f1a0599f1ed1eb4e8a92fb3b1e55756c3725ee56d476eb06d3ae879d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dis83HuNcxBJ.bat

Filesize
200B

MD5
5340ffc1f3b1d6a580e1ade1ac0906d6

SHA1
f0824de77eaf17c0bc3b42d7e42cdcfc7b9da6f9

SHA256
e5fd736a500336c161df879b07dbc6b54193d488e955520bf374f61f5b7fabe2

SHA512
7d58c38aa0c88bc54a7b7287ae50edb93a36040180436094b30b219588fd5cbc4d33ef3d631245ee4cc8958e26dac5d714dabc85b772c588837e441cc6be832d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExrAsuMj2oVm.bat

Filesize
200B

MD5
0d78574ecd708cd63e589fafbed8f81d

SHA1
653f52c99a024f0070d39e682b43456676a7d38e

SHA256
e805ba05cbecdaad5f2d9b8abb1d034c9cb2a34f831253bc3d69ad4bfbbfccc4

SHA512
3a3699d23d5006a89cf39fec05b62d906292ebf51a4963b309cc9618ad9a2e605d593424206a2b8cd55a0adc341c6660b8a61262868359621d9e494d2ad5b5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\I2dNltM3Ge7j.bat

Filesize
200B

MD5
247f2c259a2da3861c2007ff96ba7d44

SHA1
03f347a31b065fd789e04e3fe15c6e6c4cf380d5

SHA256
034473fe7a9397575b8d6fb466c956b2e8d8f0f62edb4fdecf89d8211c723fba

SHA512
ef17417326104379e29f11039431f6a59a91b3e658ab31f2c7a2be41c4dbc6c87804f50019d52f708f462a748387984d9651f778f7e9a5ea84d02ac8b5600f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\L00HyQNsVSkW.bat

Filesize
200B

MD5
e9d8c5fa8a3d1bbc0b73d718d7619b2d

SHA1
b10e67356764c0f4c32bfefd989051ea277e121d

SHA256
5afd6bf502038a9d72473d966fd230db918ac3c7a1a25fa01f0f8dbef874367f

SHA512
89a740e43204d869aaa6c0ffb0b1889da66d5d6a7bc5e9f61f43045ab3eca8a0cff2d2f3f2d803b9f2f16f5fa2cac6751259d43337cfb4ecff2ad78052f705ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MiTtL6z5x2uu.bat

Filesize
200B

MD5
0e177fe143270b176b435b8b3700f8a2

SHA1
6cdf7f6c46986d81d57a815d8ce6217fef38b31a

SHA256
f6184e2dfc3f2738339012b3ecafb9d472267076bf9150a4213f01d78bbac0f6

SHA512
22c0caa3472195190b088cea609d668bd5263f4c439b633d844692f01ec1b945769a83159e0ee49a8aadbf0585c8017b842cef440830e209494dbecf242c2873

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrP9Kg24wiqa.bat

Filesize
200B

MD5
2cfe631ac4c4738e68bede9802cf2bfb

SHA1
46efe0090678492491684cecdfa3ec2a2fd09234

SHA256
cc63a3a23538b79547bfd91165a5e7c9f3617edafec73696da46ae1279e9345c

SHA512
13fd7650780a03077c527e634d368efbed442dcfc6d4814a35ae58f27db1a6bc0a6548b717119fab5f1b6db3b9e3cd2def3998a3e7a1752361f80b477653b344

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSDC8e13OgMi.bat

Filesize
200B

MD5
d8bec7e9c14af325629a18c75ec3eee9

SHA1
2a87b059719b956e9c7a509305ceeb2b2f6ac825

SHA256
d4fab321046c0a7cc9648f91810041f9a495866f7f2ebe044fea004263eb2741

SHA512
0d050f0997a9a8f187d3e20ccba14a283402f73c8bf1dcb4a679f27eb0feefed351b7e7678650b270a1cc46997d76b27af4780a8050248bab88225ffc88f2b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\W4c3sSFg1DAT.bat

Filesize
200B

MD5
7b39d158b61056765613ad356c841eef

SHA1
d2667ec04682aeb70d55d74248a78bf67130da7c

SHA256
8b7890709faebc6d2f887e1f60b667ad51344cec605b24a903b28aa4898e89b5

SHA512
4fc006c0d5fece565f4400af7ab059f026c5be12b12ec772cd7d8e3a7ea737eee3f7c6ca2cdb726c3dd143113a9b7527d25a94ba1fdbd82631204ec35185b5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMVqoq634BDs.bat

Filesize
200B

MD5
2136d3dbf375e12a33a68141ed0ecf32

SHA1
9b397d0a15e6bd26fcee1e0c9b31a04c53063467

SHA256
57c05a4be881ca0aeb82be68c11eabbc0015c2fa7b270fd56675d2aed212d192

SHA512
ac56fe5510452131c00d78472e0494406ca5c77366abaa3c9ce328eab585ce305c408c37d1c239a5b28d07f98ab2590f0cd9f96deb11c1371313d53b9baba764

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xjm35vMNVqt1.bat

Filesize
200B

MD5
50d12abb24258990cdc2678cd0407134

SHA1
4154e95884fef9efa1dde9c3d1513168ec0d62b0

SHA256
c5296941095045e6be8f5366b7315ed8668a28d6315e27fb105940111b70dcbd

SHA512
2c0dd9bbff24ae853b8ff85ae59b77f5400a44640c73e660a3c8b463aafeda7fdf5ca379408fd3089b7bbe816c76a8577b1ac9caedd0613321a650388a301691

Download Submit
C:\Users\Admin\AppData\Local\Temp\aeIykIJWZjvH.bat

Filesize
200B

MD5
5ccd73f7cd80cbb7c178aa11c89d2615

SHA1
631a54de3f4711b3c10f267af2f76504832248ec

SHA256
dd6a4e75a07b51fd796dd67f9ba631118a182a1e891d6e91c3450ee27ae4f6a1

SHA512
cb737aee4ef6b5701318bd2f8dcfde3b023c619538c9a9b77b9fce01d41bfef04f649596415045038dbc0f0220c3bc1220e9c7a2b536eec894c6bb265f249556

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfJ9SSDOjvQZ.bat

Filesize
200B

MD5
7f83fa784b9d7666887368f0a34052e6

SHA1
2446b9151b56e0cefdd1d6d56d9dc8289a98180b

SHA256
5f1727bd55aefd287cf9fd50e00df0e26bf6d1e2e46acaf9bc21b65c84b909b5

SHA512
91fda81b64cca7fcc2552f94e69fd1b838eae4702879fe749d616be6b733db13fa8625407e694373bb475a3b6504da74b400806b11ba9f3c3a9499e80c8183dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iY1bKpaKnrc5.bat

Filesize
200B

MD5
c25139f7929c71e106a056bc809bb734

SHA1
9816c0f79d64e335188d96c07b9c2126512a1bbd

SHA256
cb64195bdbaff103801cafd9782ab321e850c19518789bd5775d1c688262e942

SHA512
0ca920df9027f67f1d648d46a20844d6139337b7a2352d6b942bfda8ad3fce16d81f2f18041df969a1977bd7b6ca1e29ba393cd7367880ed3b63b36e713c5a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\isObAbxfCisB.bat

Filesize
200B

MD5
62df51f19d2730ce89c94161cac7f445

SHA1
6eac6b056168c5e1dddb2ed5208ab3b2974f1f38

SHA256
93b81843145ba6cac67ff11b4646a83e604b804caeb06a32598c0854331c095a

SHA512
b3bdd879b81fe541df6a2052df9b00928b010a779429996bdc44cc187424fa47e5ec06d77e3ca180d029920f3d824de29d8ead8fdfe1bf3b41efe4ef25a60b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2CO0nIYsSeg.bat

Filesize
200B

MD5
b9ef93a8787114ca5d969c0bab5bc915

SHA1
0493ecdfc6ddceea423de34b675a1fa8d524c94b

SHA256
33b555b9d465aa1a034685880d73adc79ec467756d4885c53221784d68212e33

SHA512
7450878381017a772191e71bca6ff0dd20b6893321a57c03503b5516782d0b01398d1bcbb38e85a0865a7a12d2da9483b3f6771e0fc8b58ee5099e9d15415acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYgUgArPfsgz.bat

Filesize
200B

MD5
630c0a59cafc2d3d50ca8681bbd53a48

SHA1
1ea4de9b136dc3bda68547b971bcd8c162575994

SHA256
5b98e3bce5f96ffd660433b6e8d9a683eab1bf6dc1b6c3c02eeca7d663438388

SHA512
5d285560e9707ab8969c7873b2029264e6ac3efd87968362c6141b95adc81c3aee0690666a3400890c3a8bcd8018e2ed6dc109383ee534c168e336a629825c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYoBCXyxoZSx.bat

Filesize
200B

MD5
2fdde501be1101fa4593057b0b2465cd

SHA1
72b00c08487f7f37b940bfa11c9707f70eb5f48d

SHA256
ec4bb63395228c88767abebb75aa904a656556ca7204d5278fba2b70dc335020

SHA512
19e1c5899006f9b158144b46821d51c21be5b4532e4b7918bcd7beaea0ebd6006a6904be3d24150e756fce77bf6a9f440d2d01ef4e6210e69d3e17c43c47300a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2499603254-3415597248-1508446358-1000\f2c787ae24d8369e960da4a810a7e69a_8c9ee1bc-5364-4b37-aae7-4f6a9eeffa14

Filesize
3KB

MD5
87e594fa9bbc03ab6f7ea7039abe14b1

SHA1
d25225c892dd45dc4c9ea0fcd7553da376533f47

SHA256
99a0f0150608d05461a5ba5bcce967b58f66da1c0d8a60e3192bded672d0d791

SHA512
28347287aede5ad494636519f524a92a0791401be33859a4edc36d5a7d65b2aee89b000155f34b5defa789412af680bb42a4fdf55503ca7d784c0835dcd69c32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
3.1MB

MD5
bd0722e8a950f8c006036b6eeadb7305

SHA1
8a71c99320f8f4f03b91bcecd152511b300f6a4e

SHA256
421c01415f08838a9127946ddb9de841a54843cf4e4442f91ab4220cd750d46f

SHA512
7944862031401c3886ac46f8c3d6cdf59b870a59e59da9167db36010f8e7377d83c14e4caf39f7338be8270c039657cbaddc750c82669ab7d8acc9344de9eb6a

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
3.1MB

MD5
bf399b680f9756b049bb6db04a96a319

SHA1
857fb20aaa8709c8d1ab8138103cec7863833f6b

SHA256
8271bfc438caf3b834433fb318fa6f3359e1bf523245c86bbe2a9927a2b86998

SHA512
43082bf267edb058da4ef215985eb138172f477a2c7280247904e83bd48d98e7adbf79d983e2761482a7d92944d8b9bf715ccd5fc9004ab1c9268880aa30af37

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip

Filesize
3.3MB

MD5
13aa4bf4f5ed1ac503c69470b1ede5c1

SHA1
c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

SHA256
4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

SHA512
767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Profiles\Default.xml

Filesize
300B

MD5
b2422b031ccc1c2782df78fc13015477

SHA1
f63bbcf323c0bb23143db9a868f8058c508a355b

SHA256
343d250b25db2b160a3eb340a79f244a34d5cf60c5cd52e0390791c7f82ce1df

SHA512
e79f3c5d21141a44b2d1f2fb6916480be949c744000443d00fdb7b4500ae62dc57b9f2f31639cc95e79eb794933a04a2108539a2549a0796dc8c6f5bafb36a34

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Profiles\Default.xml

Filesize
499B

MD5
fc9de2f1e09c42b2ff862fb43b91679c

SHA1
92c9fa6cab7b59ff705a55b902b22ce79ff697a9

SHA256
7fbcc10c55976cc7bc57b8ea0da6e73c0567fd292fd7bd82cceafbe7828c3de1

SHA512
f6dfa7f4f29d693bddbbb8529b7a1497cfc81d0aa776a6685de4e10b4c2de297ab1c7b6bbba86d603f789485b047e9481a3b2758f3aba5a517c4af50aa4eb2e2

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Profiles\Default.xml

Filesize
1KB

MD5
408ca70695842d82037ba7fc8fa0f7b8

SHA1
93dc20d53f17d28e14583c9769c360f6b6c60e8c

SHA256
bb903ea2eaa878e4d5250633dcd2976e0ace3105f2c5d203df54af67d60ea23d

SHA512
ed8206f8d7fb3b9f02a1761eff4b5216a9b86ce4b05b75286d3b6edc9a4539b3a78b1bf0a14858a2a3cdad0c42c961355ba9ca6fd7874991534acd4cec52a17b

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12

Filesize
4KB

MD5
6e44d8785f950cb01e9705d89fcaaec6

SHA1
a9fbb833a150996a3ad802deb675e1b5fe45ae21

SHA256
db8711245874c8c2a4ec85b1ad811207d3cad2f1c9ebaeba164a2ed6266f0498

SHA512
6be2a28e39cd638458f2960c28a0999caaf92e014ac53433cf6e6cd3c617572c40a962d4789a10be97ab188c28b3d518a2031c842a40ef4448d1ee2319a45ed1

Download Submit
\??\pipe\LOCAL\crashpad_2748_GRBNIPXHQKOFXWXW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3748-100-0x0000010870620000-0x0000010870670000-memory.dmp

Filesize
320KB

Download
memory/3748-78-0x0000010855940000-0x0000010855956000-memory.dmp

Filesize
88KB

Download
memory/3748-77-0x0000010855390000-0x00000108554C8000-memory.dmp

Filesize
1.2MB

Download
memory/3748-79-0x00000108723E0000-0x000001087270E000-memory.dmp

Filesize
3.2MB

Download
memory/3748-99-0x00000108705B0000-0x00000108705C8000-memory.dmp

Filesize
96KB

Download
memory/3748-101-0x0000010871FD0000-0x0000010872082000-memory.dmp

Filesize
712KB

Download
memory/3748-102-0x0000010870670000-0x00000108706BC000-memory.dmp

Filesize
304KB

Download
memory/3748-158-0x00000108756B0000-0x00000108756CA000-memory.dmp

Filesize
104KB

Download
memory/3748-157-0x0000010876370000-0x00000108763CE000-memory.dmp

Filesize
376KB

Download
memory/4904-816-0x0000000000380000-0x00000000006A4000-memory.dmp

Filesize
3.1MB

Download