Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 02:16

General

  • Target

    https://mega.nz/folder/NNhizKIY#_598We3JUoSu2eXAdjgzhg

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

192.168.1.11:4782

Mutex

QSR_MUTEX_f39lWqYnYtP5YngtM5

Attributes
  • encryption_key

    c5q7P5jsfrwN6nB5c3mG

  • install_name

    SystemUpdate.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsUpdate

  • subdirectory

    SubDir

Signatures

  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/folder/NNhizKIY#_598We3JUoSu2eXAdjgzhg
    1⤵
    • Quasar RAT
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83d6046f8,0x7ff83d604708,0x7ff83d604718
      2⤵
        PID:2176
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        2⤵
          PID:3016
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2012
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
          2⤵
            PID:4376
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
            2⤵
              PID:1520
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
              2⤵
                PID:2208
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5184 /prefetch:8
                2⤵
                  PID:1468
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
                  2⤵
                    PID:1136
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1844
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
                    2⤵
                      PID:1240
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
                      2⤵
                        PID:4588
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
                        2⤵
                          PID:972
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                          2⤵
                            PID:2608
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5360 /prefetch:8
                            2⤵
                              PID:4284
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
                              2⤵
                                PID:408
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3252
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4908 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2376
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:764
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4040
                                • C:\Windows\system32\AUDIODG.EXE
                                  C:\Windows\system32\AUDIODG.EXE 0x4e8 0x2f4
                                  1⤵
                                    PID:3836
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:5292
                                    • C:\Program Files\7-Zip\7zG.exe
                                      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Dox Tool V3 Cracked\" -ad -an -ai#7zMap11163:100:7zEvent32256
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      PID:5556
                                    • C:\Users\Admin\Downloads\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked.exe.exe
                                      "C:\Users\Admin\Downloads\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked.exe.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:5796
                                      • C:\ProgramData\vshost\vshost.exe
                                        C:\ProgramData\\vshost\\vshost.exe ,.
                                        2⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:5984
                                      • C:\Users\Admin\Downloads\Dox Tool V3 Cracked\Dox Tool V3 Cracked\AlphaFS.bin
                                        AlphaFS.bin
                                        2⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:6000
                                        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                          3⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5212
                                          • C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
                                            "C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            PID:5540
                                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                                            "C:\Users\Admin\AppData\Roaming\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                            4⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of SetWindowsHookEx
                                            PID:6064
                                            • C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
                                              "C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"
                                              5⤵
                                              • Executes dropped EXE
                                              PID:5156
                                        • C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe"
                                          3⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:2376
                                          • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
                                            "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5248
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe" /rl HIGHEST /f
                                              5⤵
                                              • System Location Discovery: System Language Discovery
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1684
                                            • C:\Windows\SysWOW64\SubDir\SystemUpdate.exe
                                              "C:\Windows\SysWOW64\SubDir\SystemUpdate.exe"
                                              5⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of SetWindowsHookEx
                                              PID:5692
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\SystemUpdate.exe" /rl HIGHEST /f
                                                6⤵
                                                • System Location Discovery: System Language Discovery
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:5704
                                          • C:\Users\Admin\AppData\Local\Temp\DOX.exe
                                            "C:\Users\Admin\AppData\Local\Temp\DOX.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2944
                                      • C:\ProgramData\winst\winst.exe
                                        C:\ProgramData\\winst\\winst.exe gjM27i1oMlvtyvQKlBIJF4qxeqSA5NaIvOGkgIak9A6C2YQM8qSJir9FO0mIhtet
                                        2⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:6040

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      85ba073d7015b6ce7da19235a275f6da

                                      SHA1

                                      a23c8c2125e45a0788bac14423ae1f3eab92cf00

                                      SHA256

                                      5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

                                      SHA512

                                      eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      7de1bbdc1f9cf1a58ae1de4951ce8cb9

                                      SHA1

                                      010da169e15457c25bd80ef02d76a940c1210301

                                      SHA256

                                      6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

                                      SHA512

                                      e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8384544c-9db9-4026-ba18-c09fc8f29e8a.tmp

                                      Filesize

                                      6KB

                                      MD5

                                      ce605fad313f3dff835e59a46d3f7942

                                      SHA1

                                      3fdbcdb9e048ce4f8481ccc8b01032e7814dc3db

                                      SHA256

                                      867279774a58f0acdacf80fc816ebf133ba3ca8ba881e24726e11b138e8d74a7

                                      SHA512

                                      19626d11d6f5d537f16c86d5a1796ba3f40654217e689efb2dcc0e329846c15f2eb95523963d472ce1cc636ab8c04c8be04154152d355d3ff3120bf1962e9697

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

                                      Filesize

                                      36KB

                                      MD5

                                      f90ac636cd679507433ab8e543c25de5

                                      SHA1

                                      3a8fe361c68f13c01b09453b8b359722df659b84

                                      SHA256

                                      5b4c63b2790a8f63c12368f11215a4ffec30c142371a819a81180a32baeb2bce

                                      SHA512

                                      7641a3610ad6516c9ecd0d5f4e5fa1893c7c60ca3ba8ae2e1b3b0cc3a72f7f9bef4c776a1f2fc52f366bd28a419ae3594a6576e886e79a20ebd98b55b2acc967

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      72B

                                      MD5

                                      6dd28d1ef8c2e869be0bb1c79dc076c4

                                      SHA1

                                      57c3e809db473933149d69f02975ba6948879567

                                      SHA256

                                      ff5f34ceeefdaec43c4cb38942c84f62eeecda87a5fb43451588ba1697a1baf1

                                      SHA512

                                      95532e756af2767de38978059897fef1254305093f1a5761cd7ea5c26f73f6597ad5a1609b3393cdad1a2e3557da80b20d44ee30eec891eabb1b0bdccbb171f3

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      46295cac801e5d4857d09837238a6394

                                      SHA1

                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                      SHA256

                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                      SHA512

                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      188B

                                      MD5

                                      008114e1a1a614b35e8a7515da0f3783

                                      SHA1

                                      3c390d38126c7328a8d7e4a72d5848ac9f96549b

                                      SHA256

                                      7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

                                      SHA512

                                      a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      00b2d67602697307175caa2da4541e55

                                      SHA1

                                      4b94adb2540a42b57475cbf435b406d028824625

                                      SHA256

                                      af5633854f2bcf8668bfb39e5c59c477752d840df8db1d7fe2e87070eff4ffd6

                                      SHA512

                                      da90e94e3dbded4efda7127c8dfa3a854cbe211564b026cd47239dd17795844a50b3cac93158bb011d3841e0d459604a511a50b30b26c51b2617695a68a4283b

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      3f3c30e4ba92b1b09454e62167bb69f6

                                      SHA1

                                      70de992f7303d60c4690c1d2ca81821106dfdd63

                                      SHA256

                                      9bf12e004c83aa5eefa63011cbcdd038a9f3b87bfbacc7a0f855b3f70f2dad4c

                                      SHA512

                                      fc76d119cc3476f1b407a80e363ca7396aa30b12a505183e71df2f6ddd05b4b368c14b246ebcd717baeeee928f3e60a2c516fd334a5ff57ecc34e77294e21faa

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

                                      Filesize

                                      41B

                                      MD5

                                      5af87dfd673ba2115e2fcf5cfdb727ab

                                      SHA1

                                      d5b5bbf396dc291274584ef71f444f420b6056f1

                                      SHA256

                                      f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                      SHA512

                                      de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                      Filesize

                                      72B

                                      MD5

                                      ef01dbb30aaf381eef26def24f99ecb8

                                      SHA1

                                      75b8fb176e278bd70606321e6cd59faffe2add61

                                      SHA256

                                      37d9a7ee116a6a20518ae52e6c81477a5c5f71ead11c47000cddf8b844768263

                                      SHA512

                                      71fd4df4b8c17b5fefb0de1a222c4717df14b10530fb29d4a88d99e0f9853c109914e9f390a6ddf3642ff449716018deebeb8f73bfeb902636a227cf899d687d

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580105.TMP

                                      Filesize

                                      48B

                                      MD5

                                      7bba8d0cf5c78417c72f5c71af40d5f6

                                      SHA1

                                      8937421e7de2d774842124244d79ddb74c161a04

                                      SHA256

                                      02ff0a518334fed3670288f00e9645eebd122df9accd1028e10b87506838d9f2

                                      SHA512

                                      c8514f888079daa1455d2986fa157656eba60dec84e02f0f278890704688f1727e02779ea59325860fb1beb77395a8ed0f8294480925f86db7aaa7e18ffff009

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      10KB

                                      MD5

                                      37019fcbe7bb81c7132195c84ba62a5e

                                      SHA1

                                      215fa1715f4ce21025af03f1f1f66d5bc437ba60

                                      SHA256

                                      4195ad40e9f30efe431c4b65fe545dec8d4fca53537eddc727c4930915aed087

                                      SHA512

                                      fa264eb95db8ec71d346c8053b4e8be460d6d4cc44ae3a365c499df57061074a8202a7353d7bcbf59df001cedea1f7ccdb2d269f7f51324a21578325224e4b48

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      10KB

                                      MD5

                                      9a082a1d2821ee76a7b27bcd09b65fb9

                                      SHA1

                                      b691f3056c311ba0ce63a864b32a155617282d84

                                      SHA256

                                      429b89207b7840643b6b036d582eeb24890193065c59693ab69abb394f1ac168

                                      SHA512

                                      82ba50e13298b5382dccd11248a59a5eccc2d30513ab019ffb2a6edba45f82c899453e475c6ce78467d83d4c7b12ac9d8b68cdad16b8ad7ea5f634bc5c3179c4

                                    • C:\Users\Admin\AppData\Local\Temp\DOX.exe

                                      Filesize

                                      154KB

                                      MD5

                                      670f75850165e3c3ef0df41e1565ff58

                                      SHA1

                                      784ae13c951ac390d7dea0071c97aded6800b708

                                      SHA256

                                      fb128eba50fac8bc22faac39de602c306809cb37167b950bd194eb0bd9832812

                                      SHA512

                                      c0355235fbce7829dbcd3fac26ec5663b09c880826a014599127f330ddd3c16a95a0ab973fa75ddbb4ce0f8756ab2494739b04d1fda0bb799d577e493c9ca9b9

                                    • C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe

                                      Filesize

                                      688KB

                                      MD5

                                      19d55f26a6237985cb72c59c08d4828f

                                      SHA1

                                      8bc51ad39e35f9be7d46e9e90e754e07d9c88b80

                                      SHA256

                                      317f9d304aea7c5a4b3516f5379a63e2a4fec91578f3c3f69507c8167798062e

                                      SHA512

                                      7a9de012783f9323264fb59739b76195acedd846ea15382d67e5ab19325269a37647865aaa44da9a97fb8eacdf365c1b6c55c0920c46a6cdca6a7c73b09e19d1

                                    • C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe

                                      Filesize

                                      20KB

                                      MD5

                                      0d282d4eb8db6d5152b4e5fd3e2064b5

                                      SHA1

                                      72cec747647d5d0f6ef2e5ddb34f1db68fc183e5

                                      SHA256

                                      8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061

                                      SHA512

                                      16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72

                                    • C:\Users\Admin\AppData\Local\Temp\WebCam_Capture.dll

                                      Filesize

                                      20KB

                                      MD5

                                      94306f6cf69f7e7c0b4f10ea499f73dd

                                      SHA1

                                      3228b4c2ca9109aa86f2810afc3d528947501c92

                                      SHA256

                                      ed937977d846c19ea5a721c8f720dafc4c697c2b136c17d66d7b6a4200090a7e

                                      SHA512

                                      d6c19775a96dedbd40be96d5b3aa3fb0db3d52749e0d54667b38a2f677c94b630ab543457708a1c123776ec473e9f40f18eb4080703ee9adf08110c417dea136

                                    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

                                      Filesize

                                      348KB

                                      MD5

                                      a59f7fb8ac2dc166432a86eb8e2179ff

                                      SHA1

                                      9c8b24bda935e397e1c0cb33752331fe1f773b45

                                      SHA256

                                      82d315a2102a1bbd8c1533ea70f93982d2ad0fbbad3d48e9a4265c45353ceacc

                                      SHA512

                                      ff05149ca95d982ee44c820d8bc03e48d6230a7085291f0653398a410a16610038fbc336ec843db7020458fbe982762439990b348de050248758450b3ea263be

                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                                      Filesize

                                      76KB

                                      MD5

                                      a57d275fcac1be0b9aad189223a313df

                                      SHA1

                                      0762b222741fa30751dce16e7dae2bcd191adaea

                                      SHA256

                                      1c6d4e2a60849385c9b4cfbb1fc92032cb503497099208f62d7908e52b9b487b

                                      SHA512

                                      41d90ec2548654b86bba21d178bae55b538bc7acf7811b9615095e4719e52075096053427ff85428a51047f405e8d1e6a633b999655e296c9ac396fb2bba36a8

                                    • C:\Users\Admin\Downloads\Dox Tool V3 Cracked.rar

                                      Filesize

                                      1.1MB

                                      MD5

                                      149c03573d781dccd10542212a439f02

                                      SHA1

                                      b70b800fd6884217c466cd913bb75b703e8a2a56

                                      SHA256

                                      e38e7376cbdbfefb2cf083511f3245ec9806ea1b27a07119d2c4ab56517f6b62

                                      SHA512

                                      9a1084e5d2e6427de7d5534f2ec802c7b3ef3ec8668e5626a0cfa60438f8ec01eefe33594855cafebf00d9d4eec71c2ab003303e42a02ff765c1de0b5af2e69c

                                    • C:\Users\Admin\Downloads\Dox Tool V3 Cracked\Dox Tool V3 Cracked\AlphaFS.bin

                                      Filesize

                                      1.0MB

                                      MD5

                                      8f36caf603f3f2b192c5fd06a8e3c699

                                      SHA1

                                      44f387152ee1fb02a83ed0be5e942fd4a733e235

                                      SHA256

                                      0ca828c630091173cafd2663393888849459fbc9581d1fd062567d0afdf79a38

                                      SHA512

                                      9df012c7420a4f6224907a8ac1e3293985b30c9ff829ecc9cdeea56fdcaa1c46d8e131fdd9b525e6af092065a29401c11f24390ba30969e9f3ab7e60e094dcba

                                    • C:\Users\Admin\Downloads\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked.exe.exe

                                      Filesize

                                      329KB

                                      MD5

                                      a7ae7bfe54f48516f9012048dc630ffc

                                      SHA1

                                      0374afa512283c4a590ae7a5c24935bef3c8ffd2

                                      SHA256

                                      f6339244d3af530e3ef3a604f088d59e8d0291334c2b0892cc5663337ad63c9e

                                      SHA512

                                      cb3216b5c21832634abfd55cfd2cdd81a0907fd45a5a1f3b58bc89eab888fb16d0d2c2a8383964dadc1583850b712ba84f796bb0073e37ed3e4c5911d39ea7ac

                                    • C:\Users\Admin\Downloads\Dox Tool V3 Cracked\Dox Tool V3 Cracked\libcef.cfg

                                      Filesize

                                      211KB

                                      MD5

                                      59238144771807b1cbc407b250d6b2c3

                                      SHA1

                                      6c9f87cca7e857e888cb19ea45cf82d2e2d29695

                                      SHA256

                                      8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b

                                      SHA512

                                      cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

                                    • C:\Users\Admin\Downloads\Dox Tool V3 Cracked\Dox Tool V3 Cracked\libexec.dll

                                      Filesize

                                      238KB

                                      MD5

                                      4e6a7ee0e286ab61d36c26bd38996821

                                      SHA1

                                      820674b4c75290f8f667764bfb474ca8c1242732

                                      SHA256

                                      f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3

                                      SHA512

                                      f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

                                    • memory/2944-335-0x0000000005210000-0x000000000521A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/2944-334-0x00000000052D0000-0x0000000005362000-memory.dmp

                                      Filesize

                                      584KB

                                    • memory/2944-336-0x0000000005460000-0x00000000054B6000-memory.dmp

                                      Filesize

                                      344KB

                                    • memory/2944-328-0x0000000005100000-0x000000000519C000-memory.dmp

                                      Filesize

                                      624KB

                                    • memory/2944-329-0x00000000057E0000-0x0000000005D84000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/2944-326-0x00000000008B0000-0x00000000008DC000-memory.dmp

                                      Filesize

                                      176KB

                                    • memory/5212-293-0x0000000000140000-0x000000000015A000-memory.dmp

                                      Filesize

                                      104KB

                                    • memory/5248-352-0x0000000004C90000-0x0000000004CF6000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/5248-327-0x00000000001E0000-0x000000000023E000-memory.dmp

                                      Filesize

                                      376KB

                                    • memory/5248-354-0x0000000005EA0000-0x0000000005EDC000-memory.dmp

                                      Filesize

                                      240KB

                                    • memory/5248-353-0x00000000052A0000-0x00000000052B2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/5540-348-0x000000001C640000-0x000000001C6DC000-memory.dmp

                                      Filesize

                                      624KB

                                    • memory/5540-349-0x0000000001670000-0x0000000001678000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/5540-351-0x00000000016C0000-0x00000000016C8000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/5540-347-0x000000001C170000-0x000000001C63E000-memory.dmp

                                      Filesize

                                      4.8MB