quasar | b8a2e41418a9b8a882cd0c4a43bc25835a07b273be2e3851aa57737bef0929b3

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-02-2025 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image Logger 3.5.exe
Size

3.4MB
MD5

55fed3c2f548f0a0beed666f20a01d97
SHA1

e2908aeb63e17405b95c05a06a886813e1d4d594
SHA256

cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
SHA512

2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e
SSDEEP

49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

26.45.181.53:4782

Mutex

91fc011d-5bd3-41d0-82ab-84cdbb628ab4

Attributes

encryption_key
5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3376-1-0x00000000002F0000-0x0000000000656000-memory.dmp	family_quasar
behavioral1/files/0x001900000002ab0f-6.dat	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2632	Client.exe
1352	Client.exe
2496	Client.exe
4736	Client.exe
4052	Client.exe
1120	Client.exe
3088	Client.exe
2000	Client.exe
3560	Client.exe
3028	Client.exe
2620	Client.exe
4468	Client.exe
3396	Client.exe
2084	Client.exe
3564	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3000	PING.EXE
3884	PING.EXE
2008	PING.EXE
3380	PING.EXE
1516	PING.EXE
2876	PING.EXE
3904	PING.EXE
4912	PING.EXE
5080	PING.EXE
2748	PING.EXE
380	PING.EXE
1044	PING.EXE
4872	PING.EXE
1008	PING.EXE
1108	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133830193184082276"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
5080	PING.EXE
1008	PING.EXE
3904	PING.EXE
4912	PING.EXE
3884	PING.EXE
1044	PING.EXE
4872	PING.EXE
380	PING.EXE
2748	PING.EXE
3380	PING.EXE
1516	PING.EXE
2008	PING.EXE
3000	PING.EXE
1108	PING.EXE
2876	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3600	schtasks.exe
3100	schtasks.exe
380	schtasks.exe
4232	schtasks.exe
4004	schtasks.exe
2324	schtasks.exe
656	schtasks.exe
2524	schtasks.exe
4312	schtasks.exe
2184	schtasks.exe
4092	schtasks.exe
1896	schtasks.exe
768	schtasks.exe
2524	schtasks.exe
1416	schtasks.exe
1636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2016	chrome.exe
2016	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	Image Logger 3.5.exe
Token: SeDebugPrivilege	2632	Client.exe
Token: SeDebugPrivilege	1352	Client.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeDebugPrivilege	2496	Client.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeDebugPrivilege	4736	Client.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe
Token: SeDebugPrivilege	4052	Client.exe
Token: SeShutdownPrivilege	2016	chrome.exe
Token: SeCreatePagefilePrivilege	2016	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2632	Client.exe
1352	Client.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2496	Client.exe
4736	Client.exe
4052	Client.exe
1120	Client.exe
3088	Client.exe
2000	Client.exe
3560	Client.exe
3028	Client.exe
2620	Client.exe
4468	Client.exe
3396	Client.exe
2084	Client.exe
3564	Client.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2632	Client.exe
1352	Client.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2016	chrome.exe
2496	Client.exe
4736	Client.exe
4052	Client.exe
1120	Client.exe
3088	Client.exe
2000	Client.exe
3560	Client.exe
3028	Client.exe
2620	Client.exe
4468	Client.exe
3396	Client.exe
2084	Client.exe
3564	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 1416	3376	Image Logger 3.5.exe	77
PID 3376 wrote to memory of 1416	3376	Image Logger 3.5.exe	77
PID 3376 wrote to memory of 2632	3376	Image Logger 3.5.exe	79
PID 3376 wrote to memory of 2632	3376	Image Logger 3.5.exe	79
PID 2632 wrote to memory of 2524	2632	Client.exe	80
PID 2632 wrote to memory of 2524	2632	Client.exe	80
PID 2632 wrote to memory of 3804	2632	Client.exe	82
PID 2632 wrote to memory of 3804	2632	Client.exe	82
PID 3804 wrote to memory of 4948	3804	cmd.exe	84
PID 3804 wrote to memory of 4948	3804	cmd.exe	84
PID 3804 wrote to memory of 2748	3804	cmd.exe	85
PID 3804 wrote to memory of 2748	3804	cmd.exe	85
PID 3804 wrote to memory of 1352	3804	cmd.exe	86
PID 3804 wrote to memory of 1352	3804	cmd.exe	86
PID 1352 wrote to memory of 380	1352	Client.exe	87
PID 1352 wrote to memory of 380	1352	Client.exe	87
PID 1352 wrote to memory of 3088	1352	Client.exe	89
PID 1352 wrote to memory of 3088	1352	Client.exe	89
PID 3088 wrote to memory of 4884	3088	cmd.exe	91
PID 3088 wrote to memory of 4884	3088	cmd.exe	91
PID 3088 wrote to memory of 3904	3088	cmd.exe	92
PID 3088 wrote to memory of 3904	3088	cmd.exe	92
PID 2016 wrote to memory of 1864	2016	chrome.exe	96
PID 2016 wrote to memory of 1864	2016	chrome.exe	96
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4504	2016	chrome.exe	97
PID 2016 wrote to memory of 4968	2016	chrome.exe	98
PID 2016 wrote to memory of 4968	2016	chrome.exe	98
PID 2016 wrote to memory of 2236	2016	chrome.exe	99
PID 2016 wrote to memory of 2236	2016	chrome.exe	99
PID 2016 wrote to memory of 2236	2016	chrome.exe	99
PID 2016 wrote to memory of 2236	2016	chrome.exe	99
PID 2016 wrote to memory of 2236	2016	chrome.exe	99
PID 2016 wrote to memory of 2236	2016	chrome.exe	99
PID 2016 wrote to memory of 2236	2016	chrome.exe	99
PID 2016 wrote to memory of 2236	2016	chrome.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1416
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygPYumgtgH4U.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4948
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2748
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkDLHesbScBK.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4884
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3904
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\82lY1wCHp9yG.bat" "
        7⤵
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3380
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYtvtrvPlFnd.bat" "
        9⤵
        
        PID:560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4052
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wjlYLmqiG8S6.bat" "
        11⤵
        
        PID:4660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oVGvvJyo1rIC.bat" "
        13⤵
        
        PID:2832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E9gYLG3x5Kp6.bat" "
        15⤵
        
        PID:1612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\04gMdiWZhsG8.bat" "
        17⤵
        
        PID:4780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F77z6IUN08po.bat" "
        19⤵
        
        PID:4200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCm7vGEerpAH.bat" "
        21⤵
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2620
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yF4FK0U3n7Xw.bat" "
        23⤵
        
        PID:4312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAOlLs8k6mog.bat" "
        25⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4872
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bVOCbzq2Q0es.bat" "
        27⤵
        
        PID:4380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5080
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qo80DrkJgs30.bat" "
        29⤵
        
        PID:3984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIJm5lTGlCb3.bat" "
        31⤵
        
        PID:3488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1bf7cc40,0x7ffb1bf7cc4c,0x7ffb1bf7cc58
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3504,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4680,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5216,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5144,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5312,i,14748921721402521077,16231315879997149705,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:2012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6182fd0f-c167-4c75-998f-be6a80dbf0e2.tmp

Filesize
9KB

MD5
ad64422aa4aa5d50b330deb8fb887dd3

SHA1
c2394c8f434ae3409f3c0fd462c87c9484fee4af

SHA256
6d1744e57e8882b07c8d50f6f5fa4d92875717be3d16e6abacf6f5b8c8672e24

SHA512
afc4772ca0e744f571750a34e0fff85384da8ca40918c3ba82b06cdebd0d9bfaf848dac5fc00c9c7a32adea7006d32f9a3c7dee3cfa02bef2116f502b911626d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
714c4f46d975e9b4efab9dc7fd083c1f

SHA1
a366bb845260e177489ee632c3c65b5e673558f2

SHA256
1dc19f2f07feb38c955e94453cdcbe989741988eb004cf3bcec13b45952c8488

SHA512
b8c864eb265ae5d37e831f06b857c3371e5771c080e28a25c01b5fa71d86ef7128854d606625589668b59b9a9e55062a8004b17c4c1d0d5bbe32017d30732de4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
aa1486216b1a516e3ce100d263d02472

SHA1
32795e4b71d56011c5b2a385871a1c7adc3b7d20

SHA256
cb65199735b947b8e5d43cd34de6f8fc1c69bb4e22643839e00e6724a734e2bc

SHA512
6b8412b8a13fd199d9f1518d6a14ee8652b5ecdcef97d2ff9667912ce220acd89b72962ed6f0587227c0df2082ab9ba30b44095bd0821eb5585fed67ced7c8ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c164cd5c0cd8f73b25b0172fb9c44b98

SHA1
13b7b1bde76800dbeb1af5bbc775a29f9ffed9b9

SHA256
bffc240bb1d757ead4be6183c39ed2b859bf1e36d595e00b62feee6f42745dde

SHA512
cadce790cb7ad235d39e530d03d05a850388f783dad962075b93c6035d466a5e2fda1907c4acb42c8ed4e513238b2a31bb8bd5c92a2e5b4b6e2afebdc9419255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7cef27e1e55309615f5d69dba634036d

SHA1
f1abdb06f7bc3734f37dd46ea997100976f36882

SHA256
c5e3512593464a799c58b049f2b750613691cb9071f75ee2d4b22d7efcc170f0

SHA512
aa8799a54e241ba5fba9132d04f103a2d348c2ccde7d31b6aaadafb4e5ab9c3d3bad4aa243c356fd0e4920a7252f3d4393801b5f3a9f38a8411765d34ce94ec3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
75ed9fb4fd10d0c576981fc06882fea7

SHA1
4617e07e3dcfaedf4c0f4e2b24a771608aaec5e2

SHA256
3ab5100d6860e0539de462289a0c50e7a3033bfd81d0b4f2903ca50c43757623

SHA512
6a893eb91e0e8b18988d3c981c68331dc8e49bfe590be11b33f9cb48f50e5364eab1dc82b0cddf89b26aaa3a18437ed17fb3600744f4a1e802d25940cf2b3dbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a182cce0aa6d382f9db6ed101c8ddca

SHA1
eb4f54d7de60700eca68dc6cfbbdd12ace22835b

SHA256
ded125754dd945121cfa33522511257b6edec33d2a3384591b218a9f250bb4f1

SHA512
f04fb4ce34177c8121da152c07e7170e9e29be769470a3b685635be1ab898d8451b1512c4f993abbcb8ea5463070f24a1b758e5f76a5c67c9e410a03fbff8ff6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
185aa93cbf1de0253ba4608f62ce02ee

SHA1
e145e3d624037bcca83a84eb8edb87d0bdb17083

SHA256
faaafea74ea88b0f13f4dd63e6430179b6660733822d35f76bf6b8caec185fd3

SHA512
f824396432b3f9c3d5296f3bcce1082994f79b9a391993b6b8fc719c46ab34b67cf4a0ca93b5cd3dfea03ce499f97dcbbee22369f782b214a48b5a4ec627aef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90327d87af969309a83f3e4e1166fe67

SHA1
b2813f114e281dba2b3473f64571f7055b0ff517

SHA256
32cd744c1444eab02869cdfb51aa8e147f9f8b7f554c302a554d38751409ca02

SHA512
67a739879f621a94c2456d031bdcfacf28fcdcbc67c841f8a6c6bb818ed2d9c4a799cbf4e28d5c82666a25df8c2661bcaf70d825abf732b5f08a972720924c9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
50486ffc73910833b997a720682f9e55

SHA1
050000e06250ed77e9f83ac4783f2f29cd0cdf5f

SHA256
618b9d90bdc8111adfb275a76f308e206b93ea5c556fe0a29ff050094ec9cca1

SHA512
7f6e36ab99a86de10b5adbe2eb6d0f753188ec20d80f20bd9cc22540e91cad0d32604d515d9524620497842633545b9ea15b2c46b16c5193e2c22e148d978588

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85a12690cfac7ce263ba0bdc3e097858

SHA1
df118f3540480ba1001de61e83dfc324f3a689ad

SHA256
1d61746a0a4d342d1a69c123802a10807494c13710fe3f9546d562d42135cf48

SHA512
c07a53e087e6067770fdb91918d65e18ac923d20a21d26f65ef1ba12b37b500e349173bd2ed328ff7c7be40d74499899553350f1ba9a151179968c0445175bb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f58858e546240a09a41cb45d226fdfa2

SHA1
3a08b339a4f525a405b8840800ee31be633c5da6

SHA256
5704ba51225405a3b649ab13803ad4cd101a5438d51c53c886f113e98aaf969c

SHA512
6c762fcca163ed1226d7580d677b3e4b1bec475508d5544b55d1eff9febcd0f070084713b6b9f629dde4352f207d9a77d49b6551454467b56638e3137ca70f1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0fbdf1abf1f20e3f1f80d18410ce57fa

SHA1
574b4105a2dfccbc0933797b379c841ffb22c707

SHA256
69baf365f7cb50d37f532ec9a1120fedd07f494b090889eaadec20d555382ce1

SHA512
9430132f5fc339fb63d301f9b46cc9251578663ca0b9ee84a087f1c7cc30a590e872fabfc4dbee5c54feaad07bf0de8004e2828a3e7364f6ed71ab4285c51aec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a0f40fcd1c4108d68380ddefa06f936f

SHA1
e39f6c800f5adc67c522e5566209b7122c5504dd

SHA256
7222cb2ae5d8b7accc8451c81106784966bad00b4710691b73eb605527c50fee

SHA512
786d9c0330a817a0e9d7e23eefae789b641c744e3c2f910ca4bfca88d63dd3f670f9d25ba5f05314d6d527c925a2d4f5da276faa57b0c5063c77b42085f3cab9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4136204ec8ea901b3bdb3f063337e04

SHA1
961070f66acaa3cd08341e026d75858660c07eab

SHA256
01528b277991722a42e52362d5de2ac7e5c702db6ccfc5ba5607d0cea698db10

SHA512
20abcbb36f3642de4cd0ca74e6c29ee91eee19b7171f2e9a519c721fd59f39c3a819aed13627043abb14e801c562e003aad88e550657720df99b5888bc2916e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
14cc2f3a10a5a475327a953896b966c5

SHA1
de3488fcbb64c5f15225c795117c90f9aee3d36b

SHA256
46c3855ae07580e6eafbaf26cb381d5f96ccfdefe2460bd979d3e5a634e5afda

SHA512
b1086c11848718b555728090c7907b1d91564491903e9a2ade08bab2d3b9ad9b8f4708634c8b9b0613ea71fb3b22344eec3593f0b90982eee39bbb94779d4320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
9a8d568c232b3e143d0f8438da22aa43

SHA1
a5756024e1f712eeb415e40cb77db7c249103757

SHA256
9190d3e6f695c7f7cd28ad46cc93e9a89afb63e8fa22bd804ef78272878402b1

SHA512
e0e9aa9be813a84757629a0e9963c2ba41bd21b1829544b278a3caf800f6012b3f059759f9413233dba139d44618be2aa0d05213c6203d8fad07b142c3e09705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
0492b273572dc26af15214f96819bb8b

SHA1
b104241a97000e98b87b78fac311303d7f0b6e14

SHA256
2bd2854aa187891be9a8acc837b5230a07d9e496497253381234dd41baffc097

SHA512
27e53059371dba2e8eb0559c167c95b17ac9d33f783dc70cef8d9d90972b319e82f5582174cfabb70f17d46e0e674426d91ab283f876c91ba2676aade43f5385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\04gMdiWZhsG8.bat

Filesize
207B

MD5
cb8233e570cdc4bdd5cf281916f008ee

SHA1
d4000005d7ab974ce2e039270e04e6af17e168d6

SHA256
e5ecf1dabc5bfcbe585e01ff02a8fe8c36a3c92d61fe7e0dc90ca1df4984df0a

SHA512
3a5fd4f8b1b6063f069fa48cbb6df0e2db043810d2a75ef28761d8d87a1dc47d21f848646edfabda5111e4f62f18585fc03ad1c58c4d5e313f9723ef839c07a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\82lY1wCHp9yG.bat

Filesize
207B

MD5
287e9860dce69757d75337fbb820a6f4

SHA1
e8b189ac36eb35bc2ef9965fe0fc4d521ffdbaca

SHA256
d073a66cf6bbe53a0cd74b62567d0d3d1524c3d7a204419970e5b5d4774bc10f

SHA512
394321d4bc6e523ba6f97662c327e0e1266f8c83d52afaf9352d4993431a7dc31c7cee1539df07ee24fb4fa14469c10ce03e46a7cbc755468b774bc922371dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCm7vGEerpAH.bat

Filesize
207B

MD5
e88381baf54c776fbaf597af9faa08bb

SHA1
8c9dff7f8540c136321a90521514e6f2e41c03a0

SHA256
aa7ff6dbeafb3a5cd77b0431f548f36dd5e6532ed71b2f73cc4390e41193e855

SHA512
e8dad7ade52b221a8e845318cfef1baa91721e94b7c917724332a580cac0a6e1fd79fe8b83a077190cd89617690079c393f618dc8f20e6239b51f6f166e8968c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9gYLG3x5Kp6.bat

Filesize
207B

MD5
17205404ae1a49ba8a2dddd405bf21ae

SHA1
f4cafc988a8e448bf60f12479d33e9fe0603a6ef

SHA256
ec05716cfb30babc26518a0f860a40dc43f51371c816ca9165fd33944cbd1b10

SHA512
276ae0a5c896d8bd6ef4c2b2a89be73dd8f686aad8010d6474310387606a6b656250cbd0368a55db70c98341ab1fcf047d7b9d4f85758b96ee97b8f055b96689

Download Submit
C:\Users\Admin\AppData\Local\Temp\F77z6IUN08po.bat

Filesize
207B

MD5
cbd55905687d254d12222812ae06a6d7

SHA1
10dc09af33af7e056758ed51b22fbe84f868f7cc

SHA256
734647095c4f407e8c64e4de6029e9d8a2a6bf28061152fbd3404f575b6e8f35

SHA512
54554ff450ce589994ffcdb16d810381764ff8851006276788b55bafc40a25fab75060e83af809afca9d65296f56ba9967750fb0d3c4a64e1c0f3f37ff10c4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIJm5lTGlCb3.bat

Filesize
207B

MD5
c1318639a597f0353216f0a3b18df1b4

SHA1
10ca11c0c2a88fc9eb0c786ff1b188362a32081a

SHA256
80db38493749ef5c9f556f994ad5239c42ea16e5863df7018c0bef0673c09723

SHA512
171350427403f1e965e5d23a2390b021be788a7af1834f695baf317ed3113e8bf036e05144c66f032c4737578d46b88ed32af176f1749dd8d5ade14963fa5cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qo80DrkJgs30.bat

Filesize
207B

MD5
d4135742fbdd02f2354d4493f43e3112

SHA1
0ceb461b283d032acc5f1398486258865be930fd

SHA256
8824df542bb5b07ee0d36031d551845d934f4181a64d6095b95cd69b454dddc4

SHA512
5a660013e87ec20babb9d8576a1097f3dabf15b6e8aa3cec5c315ac0092273b1956d50fd8827efb446b21dc053a53747aec4191220a45526ec1e9d996d97b570

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYtvtrvPlFnd.bat

Filesize
207B

MD5
aed631ebd64a3d91f078bb91c76b7029

SHA1
335a853f118c19077b52885894cabcc566b59348

SHA256
4d589f60a52d7f2cde15e548a20d1482bd2de3b27ba642f6672128eb28a9c099

SHA512
170eb4c01632e1f098cf5eaa6f8a29ac4c0035655c3c991fb4de42828593f4968b9a37b98df5ed2516c01fdf69f3cae5f002d3a5d46c305edb9b2959d3db2b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkDLHesbScBK.bat

Filesize
207B

MD5
dca5977da576ee609eddc4db3f089bac

SHA1
8fd9a489018b58d038d2f6065b2ab6f696b19104

SHA256
2f2dae0b5cda7d22ca2f670d0ea76805981e6f4d77ace4cc874003fc175445b1

SHA512
b50df5aa9a31780ba408b11a1a61d545b668ce15ef672c05d0a568381a841b461a2263be861f1f09b6322abc7f8cc39dd4e9dae0673087913140cac6592e5974

Download Submit
C:\Users\Admin\AppData\Local\Temp\bVOCbzq2Q0es.bat

Filesize
207B

MD5
6d900b62ec90bfdf9353628ed7e720ba

SHA1
e707bf21befa69578ac382bf2ad2779d602a63fa

SHA256
43cb1df107882306e90fd1c0d4a2cec6e7df55ac787514af36e408a4eef1159a

SHA512
b566bdfca21ed7195b9636d26669a707eecb2fd6990ac60bc75e4fbe6503a86116b3dd87e7a7592a46a4ffbe71181937ec6e6a331c12e971d7b5046bc5c25daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAOlLs8k6mog.bat

Filesize
207B

MD5
d5518a02f5d7dfe71514f8ddafab7400

SHA1
adcf029ac2f2e5026e694960dc26460565b86c0a

SHA256
e728ee00392e1f18af73aba94687185fc42f920dcb01706f13d16711c103fc12

SHA512
e839872e4cd5ff5ab93f34a43dcf61b6166864b2eadbe633933a280ad4665e3a57544ae260934884bde28b264237eaaaff0d8450a2238380125b6e01155b665d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVGvvJyo1rIC.bat

Filesize
207B

MD5
4eb02f3a6eb05d20d8b5484b4931407b

SHA1
dfe8888120e753e4b1a434bce145aed0e2d3820a

SHA256
7bfb2e84d1a9b699369a7dc4921b5f4af215d092494781910560c88f33dcbf1e

SHA512
503770bf5850b24a2704b7302833017913a1594ce6b24e2918a52261ad1d60ebb890234796e01ea8ac7cd04e2c0d9fbbbe12df693fcc3d158eea0fbb0c3fa73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjlYLmqiG8S6.bat

Filesize
207B

MD5
7ec0c5bb83b5c9c67a6b92afd9a1aaaa

SHA1
0cd1562f875ee8244c15d0a274015ec56465fb70

SHA256
d2aae3261680169760707dbdc2927cee6d813ae205603122414e932acdb1f85a

SHA512
c0a4c9d8411e7f6502bc19e6ef935a12069722c9adb37af6086794f891f5ea61f4852038aca8a68ea19d2779bfbed56717778ab972c0c754579b7135af3fe9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\yF4FK0U3n7Xw.bat

Filesize
207B

MD5
d3dbb3b48e39d94f346115fc66ce04ad

SHA1
b90f5a770b1fe0d44df09dd3df6510c7fb470884

SHA256
a889758f5c92dff59ed84dc5cb6198ae6d283d5a959cad9eb50564ef067a5f65

SHA512
42976b3376adf32530fb6af69ebaef3e1498f05e7936af17c9dc75ce2d212e8a0296986483537e2fc74f8b731f90ef2dbd84a6cd454297fb6b75bc6f787a2b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygPYumgtgH4U.bat

Filesize
207B

MD5
5cdb109c1aad90a8ab574434d922c427

SHA1
12db633a854a7266c78b1ea10d46c5817f9c720c

SHA256
9be17b7bbcd609868dd32634a99afd19c6f1195fddf4a741a38ee7441d02e046

SHA512
f3ceb7d56fed1e1c216a16bf8aa97e650feb7b874c9a3f3d6eca10391ca31c73b1fe2cb91315c1069690c1f9b91b38b6aad8416f46b9e34036fe707bcea46473

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.4MB

MD5
55fed3c2f548f0a0beed666f20a01d97

SHA1
e2908aeb63e17405b95c05a06a886813e1d4d594

SHA256
cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

SHA512
2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

Download Submit
memory/2632-10-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/2632-13-0x000000001C4A0000-0x000000001C552000-memory.dmp

Filesize
712KB

Download
memory/2632-12-0x000000001B970000-0x000000001B9C0000-memory.dmp

Filesize
320KB

Download
memory/2632-11-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/2632-19-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/3376-9-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/3376-0-0x00007FFB0A763000-0x00007FFB0A765000-memory.dmp

Filesize
8KB

Download
memory/3376-2-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/3376-1-0x00000000002F0000-0x0000000000656000-memory.dmp

Filesize
3.4MB

Download