quasar | 87c04dddca46b42e8221c9c002ff39beec48ba8bf9577002df307cca6942b7f4

Analysis

max time kernel
395s
max time network
395s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-11-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Exploits & Hacks & Cheats - WeAreDevs.html
Size

44KB
MD5

cad3e9b4722a16f18422ec673d13d05b
SHA1

efd4f5fff4b3c5d2afd1187b0dc2e681870c8c78
SHA256

87c04dddca46b42e8221c9c002ff39beec48ba8bf9577002df307cca6942b7f4
SHA512

e78dd24ae9c379986db4c780be5d6dedfc470cce8fa5bb4bc8e75a4b21362a001f144c30e0bd75f76dad0e6b106bcc2ab505195319b92de3f83eb1729545f040
SSDEEP

768:lEk5ilUlLqIiVfvOflS5/u01/8xWApJingqna03O7m7Y7r2GublSNFSrZ/:ll5ilUlLqIiVfWflS5/u0/8xWAringqJ

Score

10^/10

quasar discovery phishing spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3980-1749-0x00000194A6950000-0x00000194A6A88000-memory.dmp	family_quasar
behavioral1/memory/3980-1750-0x00000194A86C0000-0x00000194A86D6000-memory.dmp	family_quasar

A potential corporate email address has been identified in the URL: %./2678@CDFRabcdefghilmnoprstuvwy
phishing

Executes dropped EXE 3 IoCs

pid	Process
3860	JJSploit.exe
4888	JJSploit.exe
5488	JJSploit.exe

Loads dropped DLL 2 IoCs

pid	Process
3852	MsiExec.exe
3852	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
18	camo.githubusercontent.com
24	raw.githubusercontent.com
66	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files\JJSploit\resources\luascripts\general\god.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\tptool.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\levitate.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\multidimensionalcharacter.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\walkspeed.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\infinitejump.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\noclip.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\chattroll.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\removewalls.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\aimbot.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\criminalesp.lua	msiexec.exe
File created	C:\Program Files\JJSploit\JJSploit.exe	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\fly.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\teleportto.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\jumpland.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\walkthrough.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\magnetizeto.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\beesim\autodig.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\dab.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\policeesp.lua	msiexec.exe
File created	C:\Program Files\JJSploit\Uninstall JJSploit.lnk	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\energizegui.lua	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e586675.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF857ACB58AFE602BC.TMP	msiexec.exe
File created	C:\Windows\Installer\e586677.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFED95E993685C95EB.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C62B7338-B484-48A1-AEB6-9AF4EF5E384B}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1010BA4EA47462D1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI678F.tmp	msiexec.exe
File created	C:\Windows\Installer\{C62B7338-B484-48A1-AEB6-9AF4EF5E384B}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{C62B7338-B484-48A1-AEB6-9AF4EF5E384B}\ProductIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF653D6573FCC3C867.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e586675.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ab2f6650cf45871d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ab2f66500000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ab2f6650000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dab2f6650000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ab2f665000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\ProductIcon = "C:\\Windows\\Installer\\{C62B7338-B484-48A1-AEB6-9AF4EF5E384B}\\ProductIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\Version = "134873102"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4\MainProgram	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA\8337B26C484B1A84EA6BA94FFEE583B4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\PackageCode = "A18BDF92C7E95474E9D3DF8A68D823C3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4\Environment = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\ProductName = "JJSploit"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4\External	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\PackageName = "JJSploit_8.10.14_x64_en-US.msi"	msiexec.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Quasar.v1.4.1 (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 250217.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\JJSploit_8.10.14_x64_en-US.msi:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Release.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
892	msedge.exe
892	msedge.exe
1148	identity_helper.exe
1148	identity_helper.exe
3188	msedge.exe
3188	msedge.exe
4448	msedge.exe
4448	msedge.exe
4084	msiexec.exe
4084	msiexec.exe
4260	msedgewebview2.exe
4260	msedgewebview2.exe
2140	msedgewebview2.exe
2140	msedgewebview2.exe
3064	msedgewebview2.exe
3064	msedgewebview2.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
2476	msedge.exe
2476	msedge.exe
2184	msedge.exe
2184	msedge.exe
2412	msedge.exe
2412	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3052	xeno rat server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
4892	msedgewebview2.exe
892	msedge.exe
2164	msedgewebview2.exe
5444	msedgewebview2.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4288	msiexec.exe
Token: SeSecurityPrivilege	4084	msiexec.exe
Token: SeCreateTokenPrivilege	4288	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4288	msiexec.exe
Token: SeLockMemoryPrivilege	4288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4288	msiexec.exe
Token: SeMachineAccountPrivilege	4288	msiexec.exe
Token: SeTcbPrivilege	4288	msiexec.exe
Token: SeSecurityPrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeLoadDriverPrivilege	4288	msiexec.exe
Token: SeSystemProfilePrivilege	4288	msiexec.exe
Token: SeSystemtimePrivilege	4288	msiexec.exe
Token: SeProfSingleProcessPrivilege	4288	msiexec.exe
Token: SeIncBasePriorityPrivilege	4288	msiexec.exe
Token: SeCreatePagefilePrivilege	4288	msiexec.exe
Token: SeCreatePermanentPrivilege	4288	msiexec.exe
Token: SeBackupPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeShutdownPrivilege	4288	msiexec.exe
Token: SeDebugPrivilege	4288	msiexec.exe
Token: SeAuditPrivilege	4288	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4288	msiexec.exe
Token: SeChangeNotifyPrivilege	4288	msiexec.exe
Token: SeRemoteShutdownPrivilege	4288	msiexec.exe
Token: SeUndockPrivilege	4288	msiexec.exe
Token: SeSyncAgentPrivilege	4288	msiexec.exe
Token: SeEnableDelegationPrivilege	4288	msiexec.exe
Token: SeManageVolumePrivilege	4288	msiexec.exe
Token: SeImpersonatePrivilege	4288	msiexec.exe
Token: SeCreateGlobalPrivilege	4288	msiexec.exe
Token: SeCreateTokenPrivilege	4288	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4288	msiexec.exe
Token: SeLockMemoryPrivilege	4288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4288	msiexec.exe
Token: SeMachineAccountPrivilege	4288	msiexec.exe
Token: SeTcbPrivilege	4288	msiexec.exe
Token: SeSecurityPrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeLoadDriverPrivilege	4288	msiexec.exe
Token: SeSystemProfilePrivilege	4288	msiexec.exe
Token: SeSystemtimePrivilege	4288	msiexec.exe
Token: SeProfSingleProcessPrivilege	4288	msiexec.exe
Token: SeIncBasePriorityPrivilege	4288	msiexec.exe
Token: SeCreatePagefilePrivilege	4288	msiexec.exe
Token: SeCreatePermanentPrivilege	4288	msiexec.exe
Token: SeBackupPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeShutdownPrivilege	4288	msiexec.exe
Token: SeDebugPrivilege	4288	msiexec.exe
Token: SeAuditPrivilege	4288	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4288	msiexec.exe
Token: SeChangeNotifyPrivilege	4288	msiexec.exe
Token: SeRemoteShutdownPrivilege	4288	msiexec.exe
Token: SeUndockPrivilege	4288	msiexec.exe
Token: SeSyncAgentPrivilege	4288	msiexec.exe
Token: SeEnableDelegationPrivilege	4288	msiexec.exe
Token: SeManageVolumePrivilege	4288	msiexec.exe
Token: SeImpersonatePrivilege	4288	msiexec.exe
Token: SeCreateGlobalPrivilege	4288	msiexec.exe
Token: SeCreateTokenPrivilege	4288	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4288	msiexec.exe
Token: SeLockMemoryPrivilege	4288	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
4288	msiexec.exe
4288	msiexec.exe
3860	JJSploit.exe
4892	msedgewebview2.exe
4892	msedgewebview2.exe
4888	JJSploit.exe
2164	msedgewebview2.exe
2164	msedgewebview2.exe
5488	JJSploit.exe
5444	msedgewebview2.exe
5444	msedgewebview2.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
3980	Quasar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 3844	892	msedge.exe	77
PID 892 wrote to memory of 3844	892	msedge.exe	77
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 1636	892	msedge.exe	78
PID 892 wrote to memory of 3628	892	msedge.exe	79
PID 892 wrote to memory of 3628	892	msedge.exe	79
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80
PID 892 wrote to memory of 2120	892	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Roblox Exploits & Hacks & Cheats - WeAreDevs.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a8e43cb8,0x7ff9a8e43cc8,0x7ff9a8e43cd8
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\JJSploit_8.10.14_x64_en-US.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1684 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4924 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7640 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7748 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7936 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,17795559342205151490,1853761172133603711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2482CE9B13B858A766AEA8C47E58CBAC C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3852
- - C:\Program Files\JJSploit\JJSploit.exe
    "C:\Program Files\JJSploit\JJSploit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:3860
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=3860.968.10776032923527555761
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:4892
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b4,0x7ff9a8e43cb8,0x7ff9a8e43cc8,0x7ff9a8e43cd8
        5⤵
        
        PID:2660
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1764,1750156056495802904,11020656468722833144,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
        5⤵
        
        PID:3220
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1764,1750156056495802904,11020656468722833144,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1940 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4260
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1764,1750156056495802904,11020656468722833144,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2368 /prefetch:8
        5⤵
        
        PID:5208
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1764,1750156056495802904,11020656468722833144,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
        5⤵
        
        PID:5476
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5288

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2724

C:\Program Files\JJSploit\JJSploit.exe
"C:\Program Files\JJSploit\JJSploit.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4888
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=4888.5992.5349046275387222891
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:2164
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x1d4,0x7ff9a8e43cb8,0x7ff9a8e43cc8,0x7ff9a8e43cd8
    3⤵
    PID:576
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1744,2192071968320964207,1324435224121417967,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1784 /prefetch:2
    3⤵
    PID:2308
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1744,2192071968320964207,1324435224121417967,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2084 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2140
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1744,2192071968320964207,1324435224121417967,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2580 /prefetch:8
    3⤵
    PID:4324
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1744,2192071968320964207,1324435224121417967,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:1
    3⤵
    PID:5708

C:\Program Files\JJSploit\JJSploit.exe
"C:\Program Files\JJSploit\JJSploit.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5488
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=5488.5436.10320161493073514171
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5444
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1b8,0x7ff9a8e43cb8,0x7ff9a8e43cc8,0x7ff9a8e43cd8
    3⤵
    PID:5404
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1900,13342293126666262779,7571405097332829176,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,13342293126666262779,7571405097332829176,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1988 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3064
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,13342293126666262779,7571405097332829176,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2412 /prefetch:8
    3⤵
    PID:2892
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1900,13342293126666262779,7571405097332829176,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
    3⤵
    PID:6052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3928

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UndoConfirm.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- System Location Discovery: System Language Discovery
PID:5680

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\1569ef37125549b687358fb9a6b521a7 /t 3576 /p 5680
1⤵
PID:5140

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000478 0x00000000000004E0
1⤵
PID:3952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5228

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:3052

C:\Users\Admin\Downloads\Quasar.v1.4.1 (1)\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1 (1)\Quasar v1.4.1\Quasar.exe"
1⤵
- Suspicious use of SendNotifyMessage
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e586676.rbs

Filesize
21KB

MD5
e35f2f627ae71a1f5fa8acbd4e9e5b91

SHA1
36c68bd3c5f2893e75ac211b4ff5a085e4f3cbb0

SHA256
772a1e159cf1f8f6b3f713aac66a38d98c5d59e50ff1b6ce83d70f438c58bf99

SHA512
a00fcdc2c26a3be17eab13e4cf8a4dd8d84878f1d466c49d6233d097721720d571e4ecb39db0a0c1ccfee8074eca248bcd89cacf2de5a8021332fd771829fb84

Download Submit
C:\Program Files\JJSploit\JJSploit.exe

Filesize
9.7MB

MD5
281a79abb33f10b3f9c6c40c0e165cc3

SHA1
ea7bd361ca528f02f0f95c376d844af98105e218

SHA256
30f840be1b9249d22c6bdc943d6901ee8723284770be1b7e18ea12a844d91f77

SHA512
2f6deba4a2cdba68820dc8a47f20253107a3420a18cf3f0995fa12b434afe41fa6213d392cab2826517b4cf8cf59fceb2083f855531daf9310128754dab7ea1b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk

Filesize
1KB

MD5
49cf9b2d9417844eb842b5f76951527c

SHA1
2b09b28bafad021cf008684ca1c0a3ca0190a8d2

SHA256
70dd66d4084cb4e04329cd222c8bff64723ff86605722479b63842a6eff5bd0e

SHA512
3addf9e1f217dc20fc61b5460d9e4158b38ac639054f2d226ae3c24a8e43352141fc82371511b91c4624cae3909cce1450660560ef2edd0a8f5f2fcdf7f093a3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk~RFe5868e6.TMP

Filesize
1KB

MD5
27cc6440746bec6b0a1ce88297f43e8e

SHA1
59743841172afa75030aa30df9512f94ca7c2f1d

SHA256
165ece5d3595ab739a1d618ea47b706e0efaccb51922c6659b9055dd9d61cf00

SHA512
f3092530f45e1446e3312f659f020195b5b716f26c9a9dc86beabefca5b9ab9b57e3173eec45b5b644058b62421bb59dbd533b5431c5002c9aebb0c83b4837f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
20KB

MD5
fa4cc25f0f72ac052e9413b46705327a

SHA1
72127f17a73fdeaf1d867ff721f8115e90d82e8b

SHA256
62215bb3463a1bdbeab484739c056495d60f9e6feab8e3974cde6bf69504f05e

SHA512
b33ebe5aad7802e7aadf31bc490bb697a7a941c4ec9a03c211b42bf54403f05dba02fdbe42bd7c28a27e309c868f4d74c060840a4aefdff57ac9c5c2cb66921c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
19KB

MD5
1e53408e78feddaa3dea2f0014d5dead

SHA1
3dbd20f4511465b8b18e4681ea24f9e0140307cf

SHA256
deb39cbf92259253ae2c5627f31489104612379e8d781a7b2bce775682c2d833

SHA512
601a7dd43d4e43ad479b4241d02652c5523b2bd900118bb2cfd579bfa451e96a6328723c61146ebc113e79c03bf718464504d43502836250fd6b3752e13d6467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
19KB

MD5
d794f25b3cb4c88e33325411c624a149

SHA1
4b045d2e4f1044c1371cf4223b7c21dd1901495e

SHA256
2484a90b8c3625ceb779ce39de976c9aa8c2a83f37926e6475b4065c0d7de6ae

SHA512
0c4008c2cb571c11a7475ed6f96dd2a218be58985d4742ae09fa74972c22a48103e1df60f8b7d98f7e1d80fd4d592be1a80a6685c7176fae914ce7fb466ad704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
17KB

MD5
aa9d4b0371cd9ae330d7b131493f54c5

SHA1
e83c2b6b6f023a6e00d18f0c9ed6b8ae9bab1459

SHA256
1ffe9b8b344a25a19f33e5900aadb00e53b8bf1a22210ab66c7b50bbcbea45a1

SHA512
337e27650c4b534683c8589dc4787eb9bcfecae020bcb1a507a1530b1fd7562ba8d185157e8af23b06e80cc70136f51bbc0fc0ac63e581e34e410c6d08d398e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

Filesize
64KB

MD5
eabce6b6a823265151bede25d6513513

SHA1
17f2a747fcbab278908410f67525a85d1c6c3f5d

SHA256
7f5b46c7f93b466b26c1380bddaa858c66fed6467e4812a23a2e6816282d07f5

SHA512
9c9c2d5cf8da8781b572fb96136dc83374b48b14bc4ee27904a96496ff4a2bed7a976107c7f57a23f01b40b795e221ccb18cefb0284b5234ef59bef2d32472f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
527KB

MD5
6aa9dfa489684a49397cf26b7cc5cd05

SHA1
c2a8e7367c785617d2e1edcb6df297b74b41bfae

SHA256
76c3190d49b58cb516ce53180db99c8c66abf991bbf44a938551037410189a2d

SHA512
1e9229ecf6b90e920d6148905cb4ee859ea440f8e361f88a41683e515b6bef58e9ac7e5889c50400d833f9798f8e7efb27c323e5abfb4a67269cdc96fac8aaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
3.3MB

MD5
13aa4bf4f5ed1ac503c69470b1ede5c1

SHA1
c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

SHA256
4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

SHA512
767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cdf420967402c80ad5865f7c62c4902d

SHA1
b53f96b309bc76f243553c29bb83b0e16c723108

SHA256
de6f6d83834c27f4f7d216883d770d4855398097762bda0a19137efd9a39bbf3

SHA512
fcba8c8bb1d866d8d3a5df67c145f45d0ec706bd3e75482b907a9dc8ec1c53dea5df10214ca9dc286842fee95828844f723ed5e935d5b945d4277db15c61fd66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7832c61b5c83cceb5327d74a4dce44d1

SHA1
d9de90919cdc9975f363efd7cdf8feb986df7cf1

SHA256
5ee67fa30cef45fba9d1fea5b2317d739dc18376607e725c4288c8f728cbd222

SHA512
3f905aec30367b4a4e51ee0579c72f4f5222f6c475b4c3e4ce0cfa56ebeac921d397f8283b1a72cd7e0535a8f77625ea5b332eed54342061459145d4420c89fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
943bddb3420453d123169458dfb353e9

SHA1
0e13b1d72015da4f4fba9c31a5c253bbdafcfe5f

SHA256
e653504f4da6baa212f90a1a5823b0ebad5aef0bcb16de4921d9ca0788ede151

SHA512
001e3c5f8c3c6f1f727314d15bc1686db9b3f78ead3fc9bdf2ea67d9d74b8a4d8bebcd4e34175ef3122275aa9a7874faf2d4d0a66456d210476ed9096393e92c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9a9b2c2ff2b63d494e1909e3a9a055d0

SHA1
277e750f81ee454e9835bba93dcdf2eea6c8226a

SHA256
6d037236eaf8d261bbc3b42297a57c493a0b906ca4a1b6b6a8436c4183f144fe

SHA512
deeb547701b71171c6a6ea0e38a4257337d8b31e4b1f371fa7f1b63de36b7efe6f2e89420851cd18a3584cb18fc5d533073b56a390f6d78a012b7e97aca434f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
4aec4eab282bc055f4e421f087cbb757

SHA1
468dea221b77d896050188a29b8dc2598a062777

SHA256
4840376d087fb3a698ef4e46a3a4e2627dc96406ae78d279de6349a0978a66f1

SHA512
7fdf30e7f060c157f4c5613bc550c9df4391d2b620f9cb8cb416be41c6cf5f056df6187954baa732975950b6e113c56991927fa2d57318106404ebe948062aca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
04b857fab94b4e023812f705ae6a1d96

SHA1
b9c70957f124e35103826b73517bf76cd9d04a20

SHA256
7e1315a1f82229e047cc74d8d912867cabe0487c14ad63cfaab6b488e0b77736

SHA512
249f3caceac72d1978c9b8fd8c4f70759185a4a290939f1f748618f5bbadb970c5f31d81d74b5f8b8ee195e43d299a6d7346275d1edda1a223062015e6ed4908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
31c5eade1af87d5995d1c1baf7c68c54

SHA1
50e1743ba74ab9a38058eea0e90d77a60674aae5

SHA256
607c01c9718fa6af4b7ae50e50a4a9cdf6ab4b8c5d2d4ab38fbb0a32f7d2332d

SHA512
fb861699c966af4cae421bb292337ea39b708674bdc4bd64ede14488d564e373077e0351700966f5dfcb8204d6c8710ed897a9a4fb69fdeaa51ea22700e9f545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cedc200aa5f7c5d8aa9a796d9e01c18f

SHA1
7ebbb9dee1eeb9f1d30038974446f946b5343b39

SHA256
830d8e419b0cb56523d1c9446f37e31e08c8bc07f63029cd327aacbf4c326fc6

SHA512
c67fe725f9f41d4830af44bf366a1135238f4f04c6e76abde9a6d3bda866eaa04b2544fd2567a8b39a4f32362086d5f25d714b90f0289d3ca49651924a45b1e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
51c6fa8d74eef4f32f0d33826a392256

SHA1
e5d95f3bac773a1cc13503ca5710edfc332e74e7

SHA256
8d37aab3dc0e7507546ae1123c112be0fea8f20d8a92794b42f1d1d38b2fbfa3

SHA512
f1d656e49c54b05ef26997579ea2319182639c3e0cd61c47673864474787b3917f832a820c8793fa9779db93a3f166c6447b6390e057bad80dfae11cd6327214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
16676ee5a84b6c120605cdd93843e770

SHA1
ea381d9a02274d2485daa00ba077b450a95a1a7a

SHA256
c35e7fa865ecf161d9f8fcc80506a2ffb481857ecb0af378e328796bd22800d8

SHA512
9570b3af1e844bc40f4e0cb2e0005c86bc3a84ee3afaf3a66aadad59947b3d9bdf774e50f353436a2eaa1ed9fd1975eaf099130713dc87b3855dbf52667044a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
956bdde9ea502b115e91aaa38e07b72c

SHA1
bc76ae030b7d9cd1ed01d3862d9dcf2ad854b25f

SHA256
bb0eed37d874ce5709b1117e0396deeee589834652f7eead508e785f92b4167b

SHA512
1d1933bb9a070ac11304b3ccda5bf11c5421d5481e4fba85d6d8fc04b4f7528671edbe4a4c9db47515440c246bced7fdcc3471b90234ad04751a84ba6b652358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e2274940ac048d5a5fa8119b97439172

SHA1
dedcb668d05dc63043f18cc976ab77021b2bbede

SHA256
4041d7d61b281608eb23b174b5c7ee73adadf3cc7fceec3e458d2099e168fb73

SHA512
2a4e7a8ab97e8992c0bfcf4d68d98a225e3c9f2b6d0b2878bc80e18cb4911b685b735e33420f22d75385ed39eb3e5cd644df1096a43ab82bebadfb23e53b8a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
641e9187e20c976d5ef120edf7b5c3f1

SHA1
46d8f6720bb85dacd230097abf908ad0ba012376

SHA256
da3fcb66c9d01429a5b82338bf8d65d07895044c1e5ef12014241eaff9be454f

SHA512
51256ef1108c3215aeea7bdafa2cb6fc864931d4f32f719908b23d46ecf628d0d5c373d977c15e4dc41f7558fe408c11a45c242617f88ad99902f1ded7f489b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ad452f3cdf154f0bacf34ddae95cab34

SHA1
bf0a23be3054689c1d23ea640fdcf82c992d8b5e

SHA256
51a6040289e874919529c88e776b43e124ab0a1af4897d758789a66da8125e8b

SHA512
04bb04e78f7570d63dc5cbe65783fe6f2e2b76c298f48e7c5567f4ba6fce308ced12576217592f0ee1274cf3ee63f15f73f64b604d21bbf304ddd3daa15c49a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c4a61ae49ba0d815400c84b84de4f9c7

SHA1
f891f4428824198357d275c0affa01b9c4a710be

SHA256
02bd9ae994baa8cc5413b35a39a49ae94c2696055894539ba55da625367c05ed

SHA512
2a800bd3deba61e02ae023b05aa7b0a04c40d24453cd4ad35d109e12f7ddfb8c0fc3b8ebd86d4f8f8269d5479691196ff6853c04d9928fb5a1bfb3a295f292e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad1d84bf5a1113f01dc01ebe994ff6e1

SHA1
67d71f6191907ff36c33c224fb349ddf8c425580

SHA256
6069f9b979719d17a0db0054658ef40f2874b51f81ac56ebc91d1f710cdf1d6c

SHA512
95f3fbbfcc82854b66efd383700a3e7cede8dec116b82a964461728c70d0ab463a1cb6c14fb9946a3038be4b515991ad24dbf4819943f327db1baac0cc1e361a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2cd23c7a7a86b79b636301763a6e3534

SHA1
d1a32135ce01fcdbcc3773b0de0d4df600e2ba24

SHA256
c6e8ce8a323f221a2b45148e33333b5e450f5b9f703a04aca57f80d948517bcc

SHA512
4345c165ae04e40aa1a5de538bdb4c95964c19b35044384f03c4429f3c840799cc9b7a1614f15e80a57a724338fd6d7b22165d81be08200fcdb40d7a6cf5ba0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
eb422b57f8cb7182fd21aa262612b559

SHA1
16f8224f976a31229de2fb00af74e86b62a9b76d

SHA256
dd34277c9a813670d0171c6a8285ff347d9531d1c5b824d7c748c6c64ef4e6ed

SHA512
dd7138680cbb1b262562f70a481a726f9dd59e6045f727eb0cfccc56354386e5506f2b1b7a7b85f3562518d128b8b90267222ebfa7b2ba58d8833bcdec446ad8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3c2800d6cd07a6b2624ff99dc1d05170

SHA1
69f3cd03fa25c600ef247fada9a7e4b188b60373

SHA256
1566996c8ad32767b5b3118b7318003ca923ccdb5059cc99c830f67d70634abd

SHA512
c7bf2913987dcb8cd4349ba63e6e17838bd1ee0c767314eba851d19496e50d864f78df3d0b80c90e0423c763942310bcf597ea096d5ce3d38d8f36f8e5fcb4fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57fbe4.TMP

Filesize
48B

MD5
9595e1c2743a3e8810071d4b036d4964

SHA1
4273191d1d6965bc2b33f6c02b671ef4a1942451

SHA256
e3210c45756d87a4c688a1993378d68b0d260823fcab033fe930e014b9f395cc

SHA512
f1c6b95799dc6ce6c3756e6fdfacdfe9c616eea4c9fe771ff3717c6778ce1d61f2799bc43ca5376b8542c29375c2f2ded4cff71a2c70a4d9e63be584fb482a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ba5c0b876167a7c1c8d9a87a041edd1d

SHA1
811fa4cb5d5bd854ad909fab1c74efee678177f4

SHA256
2c39ea3169695d6d353b31f4a76364b47b8a42b976d57d4658d996467fcc5331

SHA512
da5d711b57a1e31ca9198d25ade47350415daaf64b52aca0c156cffc4f059bed284648a48801ccbef8c5f26b292367ed2d2f0b0c996ea5dc6b2d28c36261cd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c099383b5e393774ef0ec2f577ce871f

SHA1
3d50c16268d23cc7d0a65721f63d6241fb7e4243

SHA256
424aabcc0de55c345801f123a0d0ba8b1d32dd59b0a0c690be8d64b01e6c7f03

SHA512
41fe0f24b44e8ff16f7ada7166843095457a2646043d06134f283761a45acaeaf755dc3dd4a2136188d59c012a32798eb75defa48b157110073073358a0046fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
30b5a6dbfcebe3fafe7dc7529158b18b

SHA1
fb52b40c2ac711934b96aebd62d7a9cb1514bbe8

SHA256
61f43c6ed9984d935d0219f75b9330a2455adda57af985919cc1c92fd27a3769

SHA512
e0da10e7500cf5fb08cc1494fb59d93b0f1e09cf977597dd5538bd6e733a6eb4c99c943a311eebd63450c0d9d652f6e22821a6afc04aed8b3760a44878c9867d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
54e07d32d65a2bfc46a19cf21edd92ad

SHA1
c01959fa9f8239bfd2191ee069595ba26ad0c2c1

SHA256
c2144965dade35c39d9c18bd2badca8f8ae68936694e1442530837e9520940ac

SHA512
79aeba1f7392b6b2e46a737e2a71cb5eab1468d1fa3b209aa9947d5b8e85bf1674ac89a2264c2d8b80ec2faac485e25e8fa32bf26f43fe0623550849f3b22bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
876693b701c2cda2c250457be20ff2b9

SHA1
cf9a2c9a92bb836bd288f27ca57da79bbce10967

SHA256
0113b5c05abf0eaeab4b0f58f45b8127320c9de5ec6619e6f5b90bf8f2583543

SHA512
24de503dd4ad597d443a3ab0d63a06d27b8fbbbdfa11544184f1de8695851b9655f655aa1622422c26f848721e7ba4fb97de55f06fa605a071910e33eaf8fe39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3ac82f1211970f44d64637f170042776

SHA1
d92ebf32226de52d0b309ccc06b79e20da9d5287

SHA256
70071f3f426276210d3faca8e82f8967ab2d1fdff28d7718b82fc7c189878137

SHA512
c26049b9810f495b6399c1cd0600fec01e5f6628f323943d9d1814f253361c85586947beeb5526c0d5f8e743ecef7757c16500110aa75086381bf53322b6bdfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a3b9b8e2b47e21cc06185e7b964b9f9d

SHA1
57b6194426306bb90e7d7f95a7aa64a82b41daf0

SHA256
4bb701ab2cedb26d7c6529276925b8a88472dec4c0fae9678f6f6ff3bd5e703e

SHA512
dfc50de97545dd03f5a02da2c2c8e342aa4e99013737b22a88463fbe782c60adb8dfb23f602d26d400978b2fbef5772e99a9f124736f570a050c4ab2b23a4ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
acc24bc8330b82454595d65300be6836

SHA1
218b09c471f2eeee1d23cdfa7642ac0985658e87

SHA256
8d73d6b883d900f7dbaceb2f3678215b418ad631324cfe90857fd3b40bf63af2

SHA512
0acc92b3c73d06cac77c76ca058001a1c8a919d47d74157d9ee7fa23dde86c00604d193457cf782f3f7f93f761dde2f66a4abe6e9b075cadf6d4ebe67a39f89a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
aa0d32e8ee274f575f4c9fe00d783743

SHA1
cef9e5ada959676aef4bcd2ef00050be04955f4a

SHA256
34e02739774b6e78cf019dd9ec73f6a3f5b728638fbdb9babd34b2009c681530

SHA512
d42cce356a391f456b5914fbc759a081e03efd062c29d1a9721bcc940d7b9d3db0788c84d0188a100f6f65467bfc0614b281a237b82992749719d89ec651ab5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
221351c174bea31b9e7aa611021e355b

SHA1
d3ef94e96f17681ff25a2c0eb65782a0e11be5b6

SHA256
8c8177a73a65a18dfe38aefb7faf71d557f5403f4a9970522786c7e972e5b28b

SHA512
375330098c6f6773df699c38c1e8cff25bb8a1af4ac90147f6f5f75f2f21f623b27d92e848c14519671f104f21643e708162e70bdbfc62498dea73e01d7b0ee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e32c.TMP

Filesize
872B

MD5
b98e04ee8bbd9fb66b6e1a02e820c683

SHA1
bcf5bb4c6933cafeb3e2b5a37fe36bd51dbfa29d

SHA256
f2441a0a175e1b7df943eb6b0449b0d93f338ecf0aab04cee99924d2b7008162

SHA512
9c893b224c57573176c2384c2873e82cd9416f1da346c9a9579d51c043dc22426d5a0074e08b119d96968db2606a062e092858c2e9e85be1d70220ddcbc86764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a526f843c3b6d1bdc9c206213e8d6b64

SHA1
2eb8a1b5b2910d18e265242e47970483e7a66928

SHA256
747bcb8237b402ee85da76db6f8637ab119483f438cbd7c9ab8c9383b63760de

SHA512
c6a05595552681c44a36af83cafba2ae712c57920cf15db07bdb6bc457759662bfff5b23a1eef39ca70abd7b2f51c9366ea568c28a398c631dd59e27de1d729a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b17fc6fa4778a8acffdc69b487111a2b

SHA1
b3024048ed19ae1cc762c6a048d0679ae9cb57ef

SHA256
27c816326e13e94dd13b89cf57c3c98c88d7fa01a178448f5e173f9a61ce878a

SHA512
2ab66c8fcf0a3e1182ef3d2d83e65dd3ba4e8494293744720f6a7f162d37ae62f05a4a3b7152dc59ac7bcbb74a144b388cb65c05680f760e7db2ba2c75a33542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9f8b670446d885ce3d05934098b5960d

SHA1
cc99ddb90dedbaebbd7e00c61fdb42a1936b5a32

SHA256
eae773de400fdb8e3a60d8fb8c05ec8dcd539b2ffca9d8e8386b387cb5811680

SHA512
f2ed2bd11caf22403ad65ebc933ef2080449b9292984f7a6dd9ce4ab07256c39fec92fdbc3da167f3ccc0bf64f5281448605456d7709d20c71617b2026394d6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
414e7729da64c5f56926c882e582862c

SHA1
1498ffe26e3bd910299293a8530bffd414de667a

SHA256
06e2fcbe08d11bd39a2253b807d90f97f5adb11810870354228434d0cdc9b6e0

SHA512
c1ec920ce2204b8eee60115d856f67ea365c97f22fcc6a02a92c0c9fe3be4e415e9884389ff2c3aca16befc115d10b284a30b54b74dcedcdc1e2706778b55393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7cf125f1d199b89fddd8670503e82731

SHA1
f110bb09673682be01f4dc38a34c5bbc595f5583

SHA256
0b079b7798eb1aab3ebc6355d0f4b1323ed8373bc7e7c900d65c47ff625b896b

SHA512
6ba2bb06b84f4e4e50e5e32c4be81b463d139e69a73e2f7b1b36e8070230a2378598efb358b61045a88cbbdcc6b35743d6760b4c64d0bb2a1e48c6b8c97c782e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0174f885b51d1fc4dff42370e5407b19

SHA1
cee20e4d696914fd42a47d4a20770813db0c56d1

SHA256
554f14a2a44c429ecf6d9331be658d505e5466fbe1a9f353347933394dbbae23

SHA512
329a9c022ce27c0eff27af98088ca183a6941a5681812117d40cbfb2913fb902f30cc7c686d0794f60ddff7257cf0475098072180473db4744e274db9bdc445d

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\af0177ca-280c-46e2-a4c3-06744e2b365a.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2287.tmp

Filesize
132KB

MD5
cfbb8568bd3711a97e6124c56fcfa8d9

SHA1
d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57

SHA256
7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc

SHA512
860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI72BB.tmp

Filesize
234KB

MD5
8edc1557e9fc7f25f89ad384d01bcec4

SHA1
98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

SHA256
78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

SHA512
d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\5be53b38-4d61-48fa-91fb-672642a43a64.tmp

Filesize
2KB

MD5
0c655c13ee669d398a039287f700262f

SHA1
c56f2453a0f7703f2373cb2b33b5de080a4b5b5e

SHA256
7a5d8d61ab3e74be5439e39874c29decd88e54b6a9a9c4ef2020378cf125313e

SHA512
eb8e870522aa8ee5901e70c4ceeeb089c6cc39264209421c5c664dc634988a383211c1a09e11f4302dd3d833f153a611907c5644cfb51b4ac7ca73c9ca56e89f

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
5d5dcc27fe7018be3532103ae72e0f29

SHA1
262d0a31a7f9be9a14e0a9fc2b702c285cd4d510

SHA256
c0e73dac937fbfaa0f812ccd592795439ce45990f7b031c47ad8c47161baf06e

SHA512
0b784fde197e72a96beaca7b5535b191db35592b98a73b0f5040412f2f3a445c7cfee5ca85223f01e2f0c2727efbb45160f7f42d8398e454ae182b4ea837c327

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
d558108cc230aca513bfc9161a77d15e

SHA1
43aa09a5a3513bc6a9992ceaeb35ec95bcea471d

SHA256
eba90a4207a730b5e3d3f485dba575665e4674885849b9cc240e1619b4c2eb3a

SHA512
8076129b60f7b1fb16f493a4ef04f1b29057983d1885f622904a87a2a837a8533ca33cfa6904e8bf86fbebbf631d45547f5730dac72b1ca510d28f7f3541603c

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\9364a96d-8f76-4c1d-826e-8078d09ab519.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
2779b99ecba8912c1c7c6f1381da9a0b

SHA1
d73ed2e40d1134650007b81d88eea70e738eb58f

SHA256
68e8c104c31dfa825acb9042af1fbf83dc12130bbefd876a68af99f6bb0baf0b

SHA512
ce2bafeb95a6542fbf917b0f6571d75bbab866ea0af224e7d8a0d7c8ba7d85ad3099f1aade5f295f8613240032e5f2379dfa2d4480a26c501023f96682c22831

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Favicons

Filesize
20KB

MD5
5688ce73407154729a65e71e4123ab21

SHA1
9a2bb4125d44f996af3ed51a71ee6f8ecd296bd7

SHA256
be1b822e970dfe1a120d248db7000eaf799bd6531929a1308676c70fe1608d60

SHA512
eb6452b23ea36c39d03ead154185616c13583f12f382cb2456beeb1ba6e5febdfd2a6f1064283cf115ad1c517dbf409777cdacb128e00c9d3f401335db355537

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\History

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Media History

Filesize
76KB

MD5
cf7ac318453f6b64b6dc186489ff4593

SHA1
b405c8e0737be8e16a08556757dc817bd02af025

SHA256
634434e865f1ba1b90039bd5afd8f01bad6d278377106022ea2a9c2d8778d31a

SHA512
b64e484d16222d8de31f53cd60b719b7d855bbc552a7d052e202382bc3013e0edaceb31e3a287f2ea6b7117ccfdb8a56ea9d7da78535d2c606183072ecd084e4

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences

Filesize
3KB

MD5
a36670180574857b16714a6b2f754033

SHA1
3e4a19e1d2e865a34c234d2261a8b77f83796704

SHA256
406d0d9d5cc18ade9e7977ef5128d121a5499a73b3261ae04e3c99bb33fcbb50

SHA512
4688822e09ae08848f498645931943aed119e1eb44784212ba64e5dbffaf2f89bcc2bf8f292fe019c6a81bc0d5b5b90d58aa99325b182ba8950a36ef76ac3e23

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences

Filesize
3KB

MD5
efddf7e453bf29510bc051aa893432a1

SHA1
ffcf5038d987c20d81617b07ba1d850a3a9d6263

SHA256
b91fa1358ac504708c2a46ff117d4653dd84f4d6e52fb286d5bd7e01a342aabd

SHA512
39a1278564ae962b4128d7336f121906f39674c64cdb2c594b8fd28ffdf0cbf866d19010d470f227113ccb9b5ba125bd8c01cb1f8f8ad105eaa74fa8f2bbb90a

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences

Filesize
3KB

MD5
02367503f407bda1766db6ccb3799e01

SHA1
20b37d4e659a7fa944a11ccd2cef616b33ee5bc9

SHA256
639fec24ce0bf9075c635c29bed289f6e7fd413405177df04ae88f740d8ad8f6

SHA512
627c37b8b27d1a34e19fcc939e78716f58b0a31ae3e16d36db641252d370c88fb50cc2d6bf5ae8b0cbbe0ed5eb95dd1d359b58ec972eced592ccf14a440ec704

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Secure Preferences

Filesize
8KB

MD5
255b3a5cf68cf56862f4e7e54e0826be

SHA1
df2bbd11ffd90ecd75aaee3a16b1a32265ba383a

SHA256
bf37279aca006851348f748e83f054c56af9184342ef7e37faf18165dc1a01dc

SHA512
2fd4ca12f479277483077c47dc9ee30d5b5eb0c7cd36c9b0ce36f87936595e17b75894e29707366e2683053d4b2eadf1c40612573982c164f9d4cca9ad833ef3

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Site Characteristics Database\LOG

Filesize
307B

MD5
67505d24ac49d6e092abc4e9e558b0f8

SHA1
a893b66c450acabcfe1111e80fb04364ecf520ac

SHA256
d7363ba650e1932bb76a8399442f75bc26f6a345011cc60030bf4669191243aa

SHA512
b548f6e2c5c198d5062f0d646e3a9fd2f431695fa023355288748399b79665399109a73f99035b1720c10a2cc7afd4fc168666d132f4bd73b4960cc6448938a8

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Visited Links

Filesize
128KB

MD5
aef85ff84aec1563bf6fc8169e013aa4

SHA1
a548c2a0f20ae44bceb1353e6cda1be43e6ed6b3

SHA256
a52986d549bbd05a34c332641c4da985025ce3fd1a04606f9f50f912821264d8

SHA512
39282b226f5209a9309565f1ab5a9b9ae8f74e8929405d3967539fd73e9877620b9bf512055d46ae5bb52a06c4b6a3a72fac8283f26f35fd9c2c49db273dd509

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
2KB

MD5
722e942623a2ba37d9d03694b3082851

SHA1
e08b0239ab066c7e454019185c632546400a8ce9

SHA256
78b3f4a67840519a613130a71b9c601034e5fe719ac0fa3d8f198ed55383b1c3

SHA512
78024f08fcedca901b7f4a6139cc35c239a85d6657fd95dede2d7eca2fc0ed30e59f96205ff10b2d77ef76a98c34a28244838fa963dd5094f78e8cda1a08508f

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
2KB

MD5
60599d9c4c2fbd38c431c62dad59cc98

SHA1
799efbee5254ece3ff999f6551ba130e28735b7b

SHA256
866346251703a552f90fd93bee79118315e576e1833c6c30aa21d96888ff5bf7

SHA512
646d99b22b395c10d0e5682bc9ccfc7c711a2745c42148d25528a1df125fecab893327325654e19501138fdcfccb71059b9dcfa11933a0ef9320e4a9d9dd99a3

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\ShaderCache\GPUCache\index

Filesize
256KB

MD5
9282285cd43c5ef13310dc674ce19afb

SHA1
e5fcb9004a7ad9b716ffa3db032a77c4a1ef853b

SHA256
ded1298dc66acdd9598751009b1b51c3f52c4469cfdbd0d28d072857e75a2372

SHA512
f9e12e8eab6aa75db91b9b55b852061dff58984d1501345ccbce039f1bb7b778586b7f79c0d883491ecadd17810c9bf44f81e7439c4f442921a05782ab670883

Download Submit
C:\Users\Admin\Downloads\JJSploit_8.10.14_x64_en-US.msi:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Release.zip

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 250217.crdownload

Filesize
5.0MB

MD5
9a5e4420fd429b7444e7f02b2b52d0bc

SHA1
056e5ac7ef1334698f4337435985a2d6a52ae059

SHA256
44ef9c095fdc078cad8648bc9ec75f744d2c72229ee427eac65fbc1859e57172

SHA512
7728f89d67bf145106d7c86dd7a1ad27aac74898210bd86d944d7a9111c41fb3df1ab2acab5a4d5bd9cf1a6dd66d9b460368c7994bfbe8807e4c21ae142f8f5e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
a4d0f410ef8ced3408bc1d691c596d65

SHA1
0558e544ea0ce850af1bfcd841bf6a46cc86d853

SHA256
70552f9d2c689003a8255c45f4a19ceba37254ea30a926cd4c7e9137f0f52c66

SHA512
cb340990153b1d4652c2a6eb72f941959be5db2194d1afc75a37f7813e64871a5a208949ba18a6add7acda3e049b67394ff5291edaf87f43d93eab2cd056a991

Download Submit
\??\Volume{50662fab-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{72715225-8646-4a1b-93f8-f5666fab26b5}_OnDiskSnapshotProp

Filesize
6KB

MD5
a3d51cc0d43601f4f540e12c40aaa0ec

SHA1
7d7eeb17e94d9275ce91989ac4cfbe917c92eb59

SHA256
720349fa027081e1f0aef50408f39b9c6a77f8082abca7dfb97b17a9806b88be

SHA512
46e3e5549c91b3e3e9103444cf64380f497b9c6befe3ed02ec2a0b89874f1e3906a6e3d29a983aae00ff5c4f219d27ca640d799e61664dd5ec50c6f09b4fdad4

Download Submit
memory/3052-1472-0x00000000092F0000-0x0000000009647000-memory.dmp

Filesize
3.3MB

Download
memory/3052-1466-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/3052-1470-0x0000000009DF0000-0x0000000009E12000-memory.dmp

Filesize
136KB

Download
memory/3052-1469-0x0000000007EF0000-0x0000000007F02000-memory.dmp

Filesize
72KB

Download
memory/3052-1468-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

Filesize
104KB

Download
memory/3052-1467-0x0000000007E00000-0x0000000007E14000-memory.dmp

Filesize
80KB

Download
memory/3052-1463-0x00000000007F0000-0x00000000009F2000-memory.dmp

Filesize
2.0MB

Download
memory/3052-1471-0x00000000085A0000-0x0000000008652000-memory.dmp

Filesize
712KB

Download
memory/3052-1465-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/3052-1464-0x0000000005AB0000-0x0000000006056000-memory.dmp

Filesize
5.6MB

Download
memory/3220-521-0x00007FF9B63C0000-0x00007FF9B63C1000-memory.dmp

Filesize
4KB

Download
memory/3980-1749-0x00000194A6950000-0x00000194A6A88000-memory.dmp

Filesize
1.2MB

Download
memory/3980-1750-0x00000194A86C0000-0x00000194A86D6000-memory.dmp

Filesize
88KB

Download
memory/3980-1751-0x00000194C39A0000-0x00000194C3CCE000-memory.dmp

Filesize
3.2MB

Download