quasar | hxxps://gofile[.]io/d/KNKNlk

Analysis

max time kernel
427s
max time network
458s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/KNKNlk

Score

10^/10

quasar emmassub discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

EmmasSub

rath3r.xyz:4782

Mutex

7126373e-e872-4f94-bbbb-42e88d57137b

Attributes

encryption_key
4DC093FC202D016F95DCEE92AAF2874F56ACC3F2
install_name
Windows.WARP.JITService.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MicrosoftUpdateTaskMachineCore
subdirectory
ice

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023d09-183.dat	family_quasar
behavioral1/memory/3164-185-0x00000000004F0000-0x0000000000814000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1544	emmasBackdoor.exe
3976	emmasBackdoor.tmp
3164	Client.exe
5188	Windows.WARP.JITService.exe
5880	emmasBackdoor.exe
5912	emmasBackdoor.tmp
5596	Client.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Client.exe
File opened for modification	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Client.exe
File opened for modification	C:\Windows\system32\ice	Client.exe
File opened for modification	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Windows.WARP.JITService.exe
File opened for modification	C:\Windows\system32\ice	Windows.WARP.JITService.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EmmasBackdoor\is-PDNJG.tmp	emmasBackdoor.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\Client.exe	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\is-9KNNP.tmp	emmasBackdoor.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\Client.exe	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\is-A0NJE.tmp	emmasBackdoor.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\is-NR5TQ.tmp	emmasBackdoor.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4564	powershell.exe
5948	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe,0"	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe\" \"%1\""	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\ = "EmmasBackdoor File"	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\ = "EmmasBackdoor File"	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes\.myp	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes\.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\DefaultIcon	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe\" \"%1\""	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\DefaultIcon	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe,0"	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 739559.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5132	schtasks.exe
5252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2604	msedge.exe
2604	msedge.exe
4956	msedge.exe
4956	msedge.exe
1036	identity_helper.exe
1036	identity_helper.exe
2892	msedge.exe
2892	msedge.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
3976	emmasBackdoor.tmp
3976	emmasBackdoor.tmp
5948	powershell.exe
5948	powershell.exe
5948	powershell.exe
5912	emmasBackdoor.tmp
5912	emmasBackdoor.tmp
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	3164	Client.exe
Token: SeDebugPrivilege	5188	Windows.WARP.JITService.exe
Token: SeDebugPrivilege	5948	powershell.exe
Token: SeDebugPrivilege	5596	Client.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
3976	emmasBackdoor.tmp
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
5912	emmasBackdoor.tmp

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5188	Windows.WARP.JITService.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2364	4956	msedge.exe	82
PID 4956 wrote to memory of 2364	4956	msedge.exe	82
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 4700	4956	msedge.exe	83
PID 4956 wrote to memory of 2604	4956	msedge.exe	84
PID 4956 wrote to memory of 2604	4956	msedge.exe	84
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85
PID 4956 wrote to memory of 3192	4956	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/KNKNlk
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb42b946f8,0x7ffb42b94708,0x7ffb42b94718
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Users\Admin\Downloads\emmasBackdoor.exe
  "C:\Users\Admin\Downloads\emmasBackdoor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\is-IVHF4.tmp\emmasBackdoor.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-IVHF4.tmp\emmasBackdoor.tmp" /SL5="$E01D8,1909968,965632,C:\Users\Admin\Downloads\emmasBackdoor.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:3976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-4V6HK.tmp\disable_defender.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Program Files (x86)\EmmasBackdoor\Client.exe
      "C:\Program Files (x86)\EmmasBackdoor\Client.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:3164
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "MicrosoftUpdateTaskMachineCore" /sc ONLOGON /tr "C:\Windows\system32\ice\Windows.WARP.JITService.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5132
    - - C:\Windows\system32\ice\Windows.WARP.JITService.exe
        
        "C:\Windows\system32\ice\Windows.WARP.JITService.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5188
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "MicrosoftUpdateTaskMachineCore" /sc ONLOGON /tr "C:\Windows\system32\ice\Windows.WARP.JITService.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,16584936860396302900,11889188766303318479,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5200 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5844

C:\Users\Admin\Downloads\emmasBackdoor.exe
"C:\Users\Admin\Downloads\emmasBackdoor.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5880
- C:\Users\Admin\AppData\Local\Temp\is-U2F69.tmp\emmasBackdoor.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-U2F69.tmp\emmasBackdoor.tmp" /SL5="$F005E,1909968,965632,C:\Users\Admin\Downloads\emmasBackdoor.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-P89K5.tmp\disable_defender.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5948
- - C:\Program Files (x86)\EmmasBackdoor\Client.exe
    "C:\Program Files (x86)\EmmasBackdoor\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EmmasBackdoor\Client.exe

Filesize
3.1MB

MD5
66ebe604ddf4d6ab60a183f515536528

SHA1
278782873ae0a5cac94add051edfc12e223be55c

SHA256
37e733731381c02941e4a8da30350cf968532d08012b6bb91e525241e8ee2c86

SHA512
756de51b5f6116640736f7dd37faf6172db79c8eaf8da17ba1e3d788d5c0179a01746f7d30044ca5c535c1b3d938bfde3e5d810b7fe50815030be8a5288c2bf9

Download Submit
C:\Program Files (x86)\EmmasBackdoor\unins000.dat

Filesize
5KB

MD5
821526a3076fab8ce95097320108e2b3

SHA1
67e0431691259a08234be2752bf3cb6269a41f82

SHA256
00430f366e6d0f7b3ae898ca8293e96fb120dd9b9f5b2873e96f46565fda5ba3

SHA512
b47f18afa67366794c99fdf295560705e1f0133a9fafef69c02e5ae4b6e3ee3e61a4c565be33879b1b0d210a49c4b9d4e5f7de2d5f6c0870bbdce2855a557291

Download Submit
C:\Program Files (x86)\EmmasBackdoor\unins000.exe

Filesize
3.3MB

MD5
40241dd8f313363eaa5757d57dee2f1d

SHA1
42669c3dc9080eb7aed3e2c3235412922ea3e731

SHA256
8908c91c6c53b346cf416e28027132e10f399da42aee6e82b086fe79e8f964ff

SHA512
33f05439f0318e89dc38e05519c9662d97f0d0125d7f7236815973a0da13181ac99cb5cbc80b558e361bc04118b00379a341c8ead652897d2927400ee0322b8c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EmmasBackdoor.lnk

Filesize
1KB

MD5
a7e0d6dc0c89a4c18454302015cc47e5

SHA1
367532e733ec67d0af35a94c290ed150eca82939

SHA256
08300cd7baec880724dcf27c852a7f9932d165eabb049aefedcf17a31f3545c4

SHA512
3220968dfadfaa4919227f01447adc1a28b9a0d209a6dd806ac0ca98d742908e7a7534c94f338b0ecf0df80df6ffcf8ba42712e6399fb1d10e459f6cb0bfda31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
4b266e5e513dbdffabd5a0b73d952fd2

SHA1
c1df3ec6d52cc3c0ee289457d550b4fa6bb644f6

SHA256
922d50a78b53d2956b0b4370f292803968cc465b37ecbc1d7b3e88f71ffd4c30

SHA512
2f32a8949ca7fc1d6c2e2a8e0b3444859e0472b58c58c9a3efe1596792a51473e4037138c746ee095f7414c6528e3e5721375f6e27accfc4a6610798a69b98b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
7db3dfbd3824847e38299e19ed495db8

SHA1
fbb346a0b070d472e259af72e5e8452bcb8b5cf7

SHA256
0e7ef01600508d4133a35436c94acac7aca6b400da7e200cd857f4c7cf1d4aba

SHA512
748a46889be2bcac7080c21c63c954df22d8bac7cc40c5e69f1d017d9bb6b27900843853f51f4d18465cef196187e969406c89d11820cd80edb515ad6a1cadf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ceef58354587bf9c3aae3650a9d3533c

SHA1
f4892bf50fe609b8ecd596252f721bc38f1e8e08

SHA256
5674be3951cea3cd246e7dca3d70b605598faea2a9f172641479f03ce7e263b8

SHA512
1b6b406a7652fcab365451317dfdc74adfdcef1e0f060fd805a8349d20303d1eedb911148ee7eeee79d077f77b3039cfb1976db1d452d953ad5f21f539e49a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ea6393eafa034f6474b5d54dac1e50d

SHA1
bd7e474ba5ede963e3b05f2617a04485a3d82e63

SHA256
7dd3905cbfaeddf6cb417f0f21caf0f270772b42d6d8ee45d83a738d37f90cd3

SHA512
40888555bde693dbb39c9441b82aa3d1857ff7f2400d8c8f0830ee551076b7d35ac633f63b02566fb65c39bedec747670181c60905de2e25c2ff8db22c98d79f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
76b71987b78de84709e257a645e68780

SHA1
f4178115fb4d50f34c16d5d553a1a8b980cf449e

SHA256
c58a62f085e8ad0331bb963724bd87702df76d0758eb7ff513ef118d271be777

SHA512
b714f438577d76343d185e810e2ceedbdd0bb5da529a81c062ba198710f8fe509a030d9fb2c92c503e8a7507b3a50d840d10f6a65cecbed8df8990d5ef03856f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
58773e72daef408b3a99aa119e6cc481

SHA1
004f27f16cd8eeab0391d828b4974ce4e625bbcd

SHA256
126a929d2595491b8b0cd92f0f21c138214f85cb0e7df0bbc35257812d8da111

SHA512
6e61ae9818070f57166ac31939399c75f2bf55104aec8fbd01d5181f7ad66cbec45140fe44ce770a1d8f2bdfc370f0f5d4d9a558586ad906160e48f3f9600333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
53c6b2ff0a94efd339b72f06edb120f5

SHA1
ab1a21e5731e518d233f8b5c242919c6bda5253a

SHA256
74b176fc3955643328ce3487bf1f22ab788bd919438c172877b52ab829049031

SHA512
b614d197c36ab21893bafb8d596689cc42a7430b96be3f94ce063fc4e0952b798fbe9b9373acef51bd2435c47ca2b7d3a255219db958f05ff910a2fcb42ca525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
afb47fb69c6415ff2efd0c2416a823a4

SHA1
f636e299ce78eca7c38d7cbed6f4353b91230d54

SHA256
dc35b202bff31373fe38e1aa47943cdc7bbb4b73719f3abe2cd88865ce471942

SHA512
d65faa6ba66bedcc37abf7511b8ec4ea9ab79b6666bb1363cbf791ae9d4e4806c34f47053728be487c2d772517a9268d01f1da8d5076d2a04998c6a3d777625d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c219d349dd7e8511ce5d10c53936993e

SHA1
471fbc6039f4ee26c58118a617ba850852e70193

SHA256
cb291f5fef6d41c8a3302dda537b5c7e0db269703676964507c15a098090b0ab

SHA512
86be3d117b4bfa2636a8ca328b01a39ad95b2123389c621ef3f0bccf5194c3c4beb374647952daf9dbb440fa1324040f8ddae849f425f76f1d6e16ed48003b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
11943efe65480422a440aa4a19d3e1c6

SHA1
31bff00f0cd3321a79cdf3f928ba9f3f632d5fe3

SHA256
989a9fb5e987a8e6afe507470571e47934b53da934a3daa609def63e40042f7f

SHA512
0995ff844a68980d7f28eabdb2324a06e46083012a49717106d9c333c80fa04c3869735c86997abccd7e7bc7e9d4de2831df6a78ff836b7016fc78b908ec53c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mfytidkh.fkp.psm1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4V6HK.tmp\disable_defender.ps1

Filesize
544B

MD5
3568227fbb730d48fa31d13e87f9a370

SHA1
83ac8fbb2b9c35337f372977fe3323f63060c5ff

SHA256
a06e1c77a4ab2a13f90dc2f86bbb4cb662f2bd10b1f805b1b7745af4c2ad3698

SHA512
2b8863dbdc4c980eac867e600ca008261d046a99bf40cfc02a350ec45a04e3a7b958b21219ad0a26b339336f779ba167aa84c45dbe4d9d9ada004c4515ba6d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IVHF4.tmp\emmasBackdoor.tmp

Filesize
3.3MB

MD5
95c49a50069cf27284ac7b186df5aae0

SHA1
4120193848e7726aac277f9ea6e4b3670342ed03

SHA256
9f62b6f4c234ded050162b55a9c6de0c604578dee34462b96615e48169a485bb

SHA512
f6d3fd7454943aac838cd81e17c35787747185e0736823424453ffbf375da1e921dba0a5ce88a05f7a71e2ac367d47ee8fbabbd529f48997b99f1a3afa5370cd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 739559.crdownload

Filesize
2.9MB

MD5
0266f80fe6efd3e3e4bd0363d17bcbde

SHA1
b144914eb53d2e35e410be64d2db052d06d680df

SHA256
6cffbcd23aeb7ea8c813cda4dad413b9c24d983c0fa6da03931b690b04502411

SHA512
21174624b988b26d16ba96c57b65a0dd0c0fa02d5396ca29c5cc11851f7546a528e1343f3216b224f3deebb1e749ac1dfd02fc5485bf4a0dd5b6d0983c496ac8

Download Submit
memory/1544-172-0x0000000000430000-0x000000000052A000-memory.dmp

Filesize
1000KB

Download
memory/1544-194-0x0000000000430000-0x000000000052A000-memory.dmp

Filesize
1000KB

Download
memory/1544-98-0x0000000000430000-0x000000000052A000-memory.dmp

Filesize
1000KB

Download
memory/3164-185-0x00000000004F0000-0x0000000000814000-memory.dmp

Filesize
3.1MB

Download
memory/3976-193-0x0000000000FA0000-0x00000000012F9000-memory.dmp

Filesize
3.3MB

Download
memory/3976-173-0x0000000000FA0000-0x00000000012F9000-memory.dmp

Filesize
3.3MB

Download
memory/4564-144-0x00000000072D0000-0x00000000072D8000-memory.dmp

Filesize
32KB

Download
memory/4564-119-0x0000000005780000-0x0000000005AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4564-142-0x00000000072A0000-0x00000000072B4000-memory.dmp

Filesize
80KB

Download
memory/4564-145-0x00000000073C0000-0x00000000073E2000-memory.dmp

Filesize
136KB

Download
memory/4564-146-0x00000000082C0000-0x0000000008864000-memory.dmp

Filesize
5.6MB

Download
memory/4564-141-0x0000000007290000-0x000000000729E000-memory.dmp

Filesize
56KB

Download
memory/4564-140-0x0000000007250000-0x0000000007261000-memory.dmp

Filesize
68KB

Download
memory/4564-139-0x00000000072E0000-0x0000000007376000-memory.dmp

Filesize
600KB

Download
memory/4564-138-0x00000000070B0000-0x00000000070BA000-memory.dmp

Filesize
40KB

Download
memory/4564-137-0x0000000007070000-0x000000000708A000-memory.dmp

Filesize
104KB

Download
memory/4564-136-0x0000000007690000-0x0000000007D0A000-memory.dmp

Filesize
6.5MB

Download
memory/4564-135-0x0000000006F50000-0x0000000006FF3000-memory.dmp

Filesize
652KB

Download
memory/4564-134-0x0000000006300000-0x000000000631E000-memory.dmp

Filesize
120KB

Download
memory/4564-105-0x00000000023F0000-0x0000000002426000-memory.dmp

Filesize
216KB

Download
memory/4564-106-0x0000000005000000-0x0000000005628000-memory.dmp

Filesize
6.2MB

Download
memory/4564-107-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/4564-108-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/4564-109-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/4564-124-0x0000000070610000-0x000000007065C000-memory.dmp

Filesize
304KB

Download
memory/4564-143-0x0000000007380000-0x000000000739A000-memory.dmp

Filesize
104KB

Download
memory/4564-123-0x0000000006D10000-0x0000000006D42000-memory.dmp

Filesize
200KB

Download
memory/4564-120-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/4564-121-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/5188-200-0x000000001C720000-0x000000001C75C000-memory.dmp

Filesize
240KB

Download
memory/5188-199-0x000000001BEA0000-0x000000001BEB2000-memory.dmp

Filesize
72KB

Download
memory/5188-196-0x000000001BF20000-0x000000001BFD2000-memory.dmp

Filesize
712KB

Download
memory/5188-195-0x0000000002D30000-0x0000000002D80000-memory.dmp

Filesize
320KB

Download
memory/5880-290-0x0000000000280000-0x000000000037A000-memory.dmp

Filesize
1000KB

Download
memory/5880-233-0x0000000000280000-0x000000000037A000-memory.dmp

Filesize
1000KB

Download
memory/5880-319-0x0000000000280000-0x000000000037A000-memory.dmp

Filesize
1000KB

Download
memory/5912-305-0x00000000006B0000-0x0000000000A09000-memory.dmp

Filesize
3.3MB

Download
memory/5912-318-0x00000000006B0000-0x0000000000A09000-memory.dmp

Filesize
3.3MB

Download
memory/5948-254-0x0000000070610000-0x000000007065C000-memory.dmp

Filesize
304KB

Download
memory/5948-250-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download