Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    595s
  • max time network
    599s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/05/2024, 17:51

General

  • Target

    ZenStudio.exe

  • Size

    17.2MB

  • MD5

    2b8322f747ed7623d698c524ccf2ea16

  • SHA1

    fae3a00cd6334cee7e793aa6bb56bffc45c0bca0

  • SHA256

    1f1ad9c1f639326946f39129cb9ff5015669a0a3dd9e21db07163fb48cb6b709

  • SHA512

    e1a3070b760cd7999339a21e72618b7614c1b26bf5b2acbbdfd45c27eb115d0d566fa5d835cf505d274025366a2a474450bd49b3607340cf52731c7f26e784e4

  • SSDEEP

    393216:DaLCsFu4++WuIuffxPvMFQFgs20pHOMOv59/dWnnETyNS0yRMtEX:DaBIETfMMuMWHlo9vyrX

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.116:4782

Mutex

f55cb366-2131-4b43-b653-b1dfe19ea719

Attributes
  • encryption_key

    2209A46D68E2D7B07274489E0B5E4FBE909ACAFC

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZenStudio.exe
    "C:\Users\Admin\AppData\Local\Temp\ZenStudio.exe"
    1⤵
    • Loads dropped DLL
    PID:2840
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd4a423cb8,0x7ffd4a423cc8,0x7ffd4a423cd8
      2⤵
        PID:4916
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
        2⤵
          PID:1484
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2328
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
          2⤵
            PID:3032
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
            2⤵
              PID:3868
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
              2⤵
                PID:2344
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
                2⤵
                  PID:1664
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
                  2⤵
                    PID:1552
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
                    2⤵
                      PID:4804
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                      2⤵
                        PID:556
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
                        2⤵
                          PID:4604
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4824
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5080
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
                          2⤵
                            PID:2432
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
                            2⤵
                              PID:2552
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
                              2⤵
                                PID:3212
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
                                2⤵
                                  PID:2060
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
                                  2⤵
                                    PID:1652
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
                                    2⤵
                                      PID:2324
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
                                      2⤵
                                        PID:3872
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
                                        2⤵
                                          PID:4980
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6276 /prefetch:8
                                          2⤵
                                            PID:4312
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:8
                                            2⤵
                                            • NTFS ADS
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:4176
                                          • C:\Users\Admin\Downloads\Discord Spammer.exe
                                            "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • NTFS ADS
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:784
                                            • C:\Windows\SYSTEM32\schtasks.exe
                                              "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                              3⤵
                                              • Creates scheduled task(s)
                                              PID:3764
                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1352
                                              • C:\Windows\SYSTEM32\schtasks.exe
                                                "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                4⤵
                                                • Creates scheduled task(s)
                                                PID:2400
                                          • C:\Users\Admin\Downloads\Discord Spammer.exe
                                            "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4568
                                          • C:\Users\Admin\Downloads\Discord Spammer.exe
                                            "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1808
                                          • C:\Users\Admin\Downloads\Discord Spammer.exe
                                            "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4140
                                          • C:\Users\Admin\Downloads\Discord Spammer.exe
                                            "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3972
                                          • C:\Users\Admin\Downloads\Discord Spammer.exe
                                            "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4084
                                          • C:\Users\Admin\Downloads\Discord Spammer.exe
                                            "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:952
                                          • C:\Users\Admin\Downloads\Discord Spammer.exe
                                            "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4480
                                          • C:\Users\Admin\Downloads\Discord Spammer.exe
                                            "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3884
                                          • C:\Users\Admin\Downloads\Discord Spammer.exe
                                            "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1580
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3580 /prefetch:2
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:652
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:652
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:2988
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:3028
                                              • C:\Users\Admin\Downloads\Discord Spammer.exe
                                                "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                                1⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4804
                                              • C:\Users\Admin\Downloads\Discord Spammer.exe
                                                "C:\Users\Admin\Downloads\Discord Spammer.exe"
                                                1⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2128

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Discord Spammer.exe.log

                                                Filesize

                                                1KB

                                                MD5

                                                b4e91d2e5f40d5e2586a86cf3bb4df24

                                                SHA1

                                                31920b3a41aa4400d4a0230a7622848789b38672

                                                SHA256

                                                5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

                                                SHA512

                                                968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                22cececc69be16a1c696b62b4e66f90e

                                                SHA1

                                                b20b7f87f8bc64c1008b06a6528fc9c9da449c2f

                                                SHA256

                                                d940b85bc83f69e8370a801951eb6b8bb97efbb3aa427664105db76e44707258

                                                SHA512

                                                2b2e548f2c8f84d321ef2afdf31128065c3593b884ca8111b05800960b5378b99c7efa6165d02fba4c11e6e4b49b14e419d89f76d55ef574f4ac2b7d6ecb3d48

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                5a85ad170d758e61ae5648c9402be224

                                                SHA1

                                                e6dfce354b5e9719bc4b28a24bb8241fc433e16f

                                                SHA256

                                                af0da8b5ad8127ae0ef7773bc9c4b145ed3fe7fbef4c48278649e1e3aa5ce617

                                                SHA512

                                                641414d91c993f74b6b71654522359d606c7f94ac0fcca6478d1bc33c30f4a9fdb9ce6f8e281c79a2f9b9670fda8a4ccdd80e7d64347c1f66d8c9ef024bcb09b

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                Filesize

                                                288B

                                                MD5

                                                f5daa7d735aaee1e4d4869cf57f6e07b

                                                SHA1

                                                d915cf03892e9bc4ee524bca3a06eaf021d716fa

                                                SHA256

                                                83632a00256f5ff8e2378e601ff7f256f3e42f110fe7a5d79a7f41bfbd3c22bd

                                                SHA512

                                                2ee4121384e7f4286bd1598e23e9a8fa67c810d905820890212747a8e7b44064b0baf4559fa10c6328daf4b9683d47c1873eb9a90b2ec319e2f88ab624600abd

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                Filesize

                                                387B

                                                MD5

                                                a76d8ae9523bcf5bb2caa451121a0d91

                                                SHA1

                                                4867caa19f280aabdc4f85f6468335d70ad1d996

                                                SHA256

                                                515a528f05f0c708175813df2e149b0960d193bd4dac47a11a7641745c8a063b

                                                SHA512

                                                9dbab2a7c6ce09335a805a319399b95ad818c94153d57818cdf30cd26f825ab4517d15dca8bf4156a0aab5a24a6c06977ddb5f9d27f4be8f601a813dc88b9a57

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                5KB

                                                MD5

                                                b17335a194ca657fbe646b88280b37a3

                                                SHA1

                                                164a8568ccb19f20fbcd8b76fa52d3ae241c3a0a

                                                SHA256

                                                0ad5a78d5ae9a6fa8aa5c145fb9b6852f48d8ead700803feef3b82615690ab66

                                                SHA512

                                                0af7fe2245f7e5874d9fc5ce2b2d39d08494f5e075544eacd033fe8e1b55ccdfe40e1c502673531e1968c78a2cd172e78bba218a1522fb5c8297dedecd62ebf4

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                6KB

                                                MD5

                                                4846bf099d76f22adfba5196e3238476

                                                SHA1

                                                5d40bb39f2c5ea768464ae77f9081eb428925142

                                                SHA256

                                                1233912ed8d00a17be0abe84a3aa79f0b8a52fcb53e93e64e9a83f8ac7380236

                                                SHA512

                                                e027528dcd7783ac20c5c0c777b83ca64e75d4dfb7ef67dd310861991ca30e3b858c3e33868baef205f8ece4e6ea1bd97f50be78044cbfc4960fc42100bbd5bf

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                5KB

                                                MD5

                                                1379f9d5ea26381c4a28ff656de785a5

                                                SHA1

                                                1be6663c7b1ee069e61b83c5d23845010cf4eef4

                                                SHA256

                                                49d0381c847e86e9a89d63aa8f5a2bdde071068b58068fabfaf76e99bfa32265

                                                SHA512

                                                07cd13e08efd7e69a4dce6d036f37feb609adec3f5b3c5c6fbe02ef8e4cc35c97c7812aa0d85bc5a11b8f23b2b8e8704bf2ae98e06da922f0ff8eb3ae1d8fad6

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                5KB

                                                MD5

                                                1babd2bf870221bf3cbe1169a2d88478

                                                SHA1

                                                1e49d37e913068836200fd5b8ce06b721e3a693e

                                                SHA256

                                                5db7821e7e31c9b4110aec72719dad5b58503103564644a3d684e92a4f36ee89

                                                SHA512

                                                50efe44464a3265d0a39ec498d77df8828c5de69463980ee151f1c5ab004aa79a3b4193c4dc6ae98e203b6686c2e3316eb211a4d0b47faf857713c6d0b572d5e

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                5KB

                                                MD5

                                                248ee323bfbd827ed0b9f6709d424dea

                                                SHA1

                                                5b76d691f5da8ad25fb3e7c6a0db38007a435b9a

                                                SHA256

                                                d00bbaff790282e7787e15194d319215f0193a5c9b8042763dbf5502e0bc5b3e

                                                SHA512

                                                7cda75d98c005dca1c68f4df247e9713bd79c0b7b92fb0eecbead82602a61569816980a885b9548aedfd07489087f6e31c461c788c69bc01b6c7cc226628ec97

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                46295cac801e5d4857d09837238a6394

                                                SHA1

                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                SHA256

                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                SHA512

                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                206702161f94c5cd39fadd03f4014d98

                                                SHA1

                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                SHA256

                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                SHA512

                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                12KB

                                                MD5

                                                794b5a40d9862dd2673e890a9acf7d6a

                                                SHA1

                                                895be693322ab701384b02a401e63b24341f62ae

                                                SHA256

                                                085d3f96656baecaa3af3de608bfe3e329c1baf8509f38c56b26c9d94292511c

                                                SHA512

                                                da33aabce9c6b780217c8c4d9298818ed526dd82c81b02ca7ee96f2b81414187e290607fa3e65374f9071a20e547265181347171325f95e746d41f0ca80b9829

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                11KB

                                                MD5

                                                8b0ed1b019fcc55c4e086fcd013f7487

                                                SHA1

                                                853ccad344126bcd02ac1d1bdb1e89d241b39c3d

                                                SHA256

                                                38410cfff783b1734f5f0cd69a7cb2e653bdcc562850ddf971d45113a7f10bd9

                                                SHA512

                                                bef79b32438473cdfb792a4517bb60f47abaca9b2034b682848a3fcd3fa6b14b17a034fb193f181f77bd998a292f1cb9e6e7a993b3a2347c0b13a72e72dd3b0d

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                11KB

                                                MD5

                                                d665b4e45dfdc340a662745d8d721b11

                                                SHA1

                                                d9d8fbb96bb94a292b77f5124a0dad6c098b18bc

                                                SHA256

                                                41f5f99fb7034e7b46e0bc2da84d10d2c2101fbac2b18a856bdd09a07ca3d81c

                                                SHA512

                                                408093e737a075428cc8190c76b394660f56bc9c214fc2cfebd9b63cf12dad48210616ee986f40feef8eae042e002990a06261e5fbaefd8a400b368257222407

                                              • C:\Users\Admin\AppData\Local\Temp\nsa6EE7.tmp\InstallOptions.dll

                                                Filesize

                                                15KB

                                                MD5

                                                d095b082b7c5ba4665d40d9c5042af6d

                                                SHA1

                                                2220277304af105ca6c56219f56f04e894b28d27

                                                SHA256

                                                b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

                                                SHA512

                                                61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

                                              • C:\Users\Admin\AppData\Local\Temp\nsa6EE7.tmp\ioSpecial.ini

                                                Filesize

                                                1KB

                                                MD5

                                                72b94be225535826e23580b1dd6d43cb

                                                SHA1

                                                302b647295f8431355f87aad2637a613ccb5bf59

                                                SHA256

                                                2e6c1e18b1ab8b2c801e761581e30e6fae535f27f01797126e5618aac2db4347

                                                SHA512

                                                1c8c9acd43805f62a04d1c9991969fa401d39dfeaa0b79783b1625b8a7ae73aa5fc80df4faf8876d428c56fa291c70a986a21f5745a9b7467b30a24bc68dd0e8

                                              • C:\Users\Admin\AppData\Local\Temp\nsa6EE7.tmp\ioSpecial.ini

                                                Filesize

                                                1KB

                                                MD5

                                                78073055d6f628a4ffc5a995a40c4e49

                                                SHA1

                                                0306f84c31e66f7b147ee926c3a8edc3f85ec8ae

                                                SHA256

                                                272f20201e6127e903d8b0c5654cdaf31e8febe698b3ec92157e8d5e9d5cd4bb

                                                SHA512

                                                64b2ec0de433fbe704db4580dc4405ec9f9bbc80b0321d2bae75b23d3d4a7224906323bf25d01183f11527e3a8215169222da884c6e41e2d46c54b61e64a9fab

                                              • C:\Users\Admin\Downloads\Discord Spammer.exe:Zone.Identifier

                                                Filesize

                                                26B

                                                MD5

                                                fbccf14d504b7b2dbcb5a5bda75bd93b

                                                SHA1

                                                d59fc84cdd5217c6cf74785703655f78da6b582b

                                                SHA256

                                                eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                                SHA512

                                                aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                              • C:\Users\Admin\Downloads\Unconfirmed 637145.crdownload

                                                Filesize

                                                3.1MB

                                                MD5

                                                ea51c23d05223ab87b453d75a67f54dd

                                                SHA1

                                                338c3f1a35a103d8b468a5c7bcd4e94823f5a97b

                                                SHA256

                                                b6b13eaf085d5c457ad6a51b8eb95d5556dba3d612e8fe942fb1891ecbaf6518

                                                SHA512

                                                66252ebb285d1a483ba7fbcb598b4c103cce4320bddba1c96ce0ff163a2562c92cbf895a16e3da8ae67a31d741073557be71fa883df3452fa6bac348f3da5464

                                              • memory/784-265-0x0000000000B60000-0x0000000000E84000-memory.dmp

                                                Filesize

                                                3.1MB

                                              • memory/1352-274-0x000000001C0C0000-0x000000001C172000-memory.dmp

                                                Filesize

                                                712KB

                                              • memory/1352-273-0x000000001BFB0000-0x000000001C000000-memory.dmp

                                                Filesize

                                                320KB