quasar | hxxps://www[.]mediafire[.]com/file/pnz7556xgz2tmcz/Testing[.]rar/file

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/pnz7556xgz2tmcz/Testing.rar/file

Score

10^/10

quasar office04 discovery evasion execution persistence privilege_escalation spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.40.122:4782

rayanneaa-47070.portmap.host:47070

Mutex

f1780d6b-a6ee-4632-9816-f23bb146f81e

Attributes

encryption_key
F38746D956F52C2D74C5EA46908D0B22D4BB8A0C
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001dad5-464.dat	family_quasar
behavioral1/memory/3520-466-0x00000000007A0000-0x0000000000AC4000-memory.dmp	family_quasar

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5660	netsh.exe
4560	netsh.exe
3540	netsh.exe
5020	netsh.exe
3788	netsh.exe
5096	netsh.exe
4784	netsh.exe
5656	netsh.exe
5564	netsh.exe
3668	netsh.exe
5664	netsh.exe
2360	netsh.exe
5416	netsh.exe
3548	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
3520	Testing.exe
6052	Client.exe
1140	Testing.exe
4140	Testing.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
5512	powershell.exe
1620	powershell.exe
5888	powershell.exe
4076	powershell.exe
2608	powershell.exe
5764	powershell.exe
448	powershell.exe
4380	powershell.exe
3352	powershell.exe
5464	powershell.exe
5928	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 42 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3064	schtasks.exe
6120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
5064	msedge.exe
5064	msedge.exe
4128	identity_helper.exe
4128	identity_helper.exe
2396	msedge.exe
2396	msedge.exe
2608	powershell.exe
2608	powershell.exe
2608	powershell.exe
5512	powershell.exe
5512	powershell.exe
5512	powershell.exe
5764	powershell.exe
5764	powershell.exe
5764	powershell.exe
448	powershell.exe
448	powershell.exe
4380	powershell.exe
4380	powershell.exe
3352	powershell.exe
3352	powershell.exe
5464	powershell.exe
5464	powershell.exe
1620	powershell.exe
1620	powershell.exe
5888	powershell.exe
5888	powershell.exe
4076	powershell.exe
5928	powershell.exe
4076	powershell.exe
5928	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5156	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	5156	7zFM.exe
Token: 35	5156	7zFM.exe
Token: SeSecurityPrivilege	5156	7zFM.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	5512	powershell.exe
Token: SeDebugPrivilege	5764	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	3520	Testing.exe
Token: SeDebugPrivilege	6052	Client.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	5464	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	5888	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	5928	powershell.exe
Token: SeDebugPrivilege	1140	Testing.exe
Token: SeDebugPrivilege	4140	Testing.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5156	7zFM.exe
5064	msedge.exe
5156	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1316	OpenWith.exe
6052	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 4712	5064	msedge.exe	84
PID 5064 wrote to memory of 4712	5064	msedge.exe	84
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4084	5064	msedge.exe	85
PID 5064 wrote to memory of 4748	5064	msedge.exe	86
PID 5064 wrote to memory of 4748	5064	msedge.exe	86
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87
PID 5064 wrote to memory of 3340	5064	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/pnz7556xgz2tmcz/Testing.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc634746f8,0x7ffc63474708,0x7ffc63474718
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10946155079400334539,2913436060921987284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:1768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1316

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4200

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\OpenPort4782.bat" "
1⤵
PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\Desktop\OpenPort4782.bat"' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort4782.bat" am_admin
    3⤵
    PID:5364
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 4782"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5416
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Open Port 4782" dir=in action=allow protocol=TCP localport=4782
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort4782.bat"
1⤵
PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\Desktop\OpenPort4782.bat' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort4782.bat" am_admin
    3⤵
    PID:5576
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 4782"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Basic Nigga shit.bat"
1⤵
PID:5708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\Desktop\Basic Nigga shit.bat"' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Basic Nigga shit.bat" am_admin
    3⤵
    PID:5884
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 4781"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4560
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Open Port 4781" dir=in action=allow protocol=TCP localport=4781
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort47070.bat"
1⤵
PID:5916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\Desktop\OpenPort47070.bat' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort47070.bat" am_admin
    3⤵
    PID:5988
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 47070"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5656
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Open Port 47070" dir=in action=allow protocol=TCP localport=47070
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort47070.bat"
1⤵
PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\Desktop\OpenPort47070.bat' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort47070.bat" am_admin
    3⤵
    PID:880
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 47070"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5564

C:\Users\Admin\Desktop\Testing.exe
"C:\Users\Admin\Desktop\Testing.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3520
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3064
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6052
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\OpenPort47070.bat" "
1⤵
PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\Desktop\OpenPort47070.bat"' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3352
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort47070.bat" am_admin
    3⤵
    PID:5340
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 47070"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Basic Nigga shit.bat" "
1⤵
PID:5420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\Desktop\Basic Nigga shit.bat"' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5464
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Basic Nigga shit.bat" am_admin
    3⤵
    PID:696
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 4781"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\OpenPort4782.bat" "
1⤵
PID:4644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\Desktop\OpenPort4782.bat"' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort4782.bat" am_admin
    3⤵
    PID:5724
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 4782"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort47070.bat"
1⤵
PID:5748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\Desktop\OpenPort47070.bat' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5888
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort47070.bat" am_admin
    3⤵
    PID:652
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 47070"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Basic Nigga shit.bat"
1⤵
PID:5712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\Desktop\Basic Nigga shit.bat"' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Basic Nigga shit.bat" am_admin
    3⤵
    PID:5552
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 4781"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort4782.bat"
1⤵
PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\Desktop\OpenPort4782.bat' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5928
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\OpenPort4782.bat" am_admin
    3⤵
    PID:1052
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall show rule name="Open Port 4782"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2360

C:\Users\Admin\Desktop\Testing.exe
"C:\Users\Admin\Desktop\Testing.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Users\Admin\Desktop\Testing.exe
"C:\Users\Admin\Desktop\Testing.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Testing.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2ec84917-c234-4c55-a7af-58677c56b7bc.tmp

Filesize
3KB

MD5
c89cac11d0e3c39388a0ddc9fb8754c6

SHA1
8919c02720412abc4b18513953e8c2b501536eee

SHA256
761d12952bf0de8b578e276972bfe9ba225060929d7efb2476d1404f3542708e

SHA512
db954ad94fa78ea4f815855650fca95bf10563285428e0599cf88a97acc214f15f0be2a58ecacdd46dfcb5e712c32706b3439e4f2541cafacae0bc7e86f6fbe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
7cf48bd06e912dd0a0992eeb9b3e4c26

SHA1
e5a64bcfddc22f5fab60056b942125d759458a28

SHA256
b5d9bd9e71f0c351dd47289b0c89457b7c8c1eb48d7e95b03ce1544310bc87c2

SHA512
713c88b92077147ad0d0f43048e4b58a46d2f4b1838ca92b8a3c07106596e713bd90bd3e93be3bc3c1431c657b36661687d422c8d4ee59bd917918fc24d24f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cdb2c2807c09562d76ac89010ed9dc79

SHA1
cee483883e5a606527302466f61483a63a0f597b

SHA256
b125d3f85c89d42ccbca9628561a9b90fab215a6879e2158028eba33dfa17907

SHA512
c5c518fdb4d0a7b6a6fb5a683c96ef310dc8b2a1a2b5eaeddb89ff34ecdc9f318f9857ab92521135afa9f7dbd525ef337ed3724cc99a61d52e1480b488474827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c6c5d7ce4bdcc9677010857a73416ceb

SHA1
c0b04817be33d2ed4aa1a63528b7e2dd40b05ddb

SHA256
72f9b9ebacd759e0363fa5d10e320cdfbeea115a20d58a0bc052fa273a1b8263

SHA512
15cc6d01196dce4b2efc6f8c0ce6cfdb2161642f0db1c83e4775e4ad812b169ccbf1c7a5ff30cb50bce49e39a9948c89af3c0b1387bc45c1d31625d99ca6e5be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
46930444fc9cdf2149299052a91be3bc

SHA1
4b8bab4ed7ad318d8644e02a5559845ceaec656e

SHA256
6cb2cf119f237a6714f588a060f1d4d87fd58e28c7b84334ad85169629be18c9

SHA512
7639199b5771c6c646ea1099cdada8268dbbe4a38e5e81baec69ef1913f57871f7a6c35f6d526530e375b69b1dd9637f59039f41896e1466762994a0459a0a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2ea41314b6f763bf60f4c30bca5be335

SHA1
ed1e5ab574a2187af5654097ac42960e975d1136

SHA256
d2d976a72163e220d861e565bdd58ca60a80bd6e134b401f04eb9802ea0a4401

SHA512
2628794890c402c8404ef61378ede025220a42291ec63aadfafbb2631b5a47c53ff747706e51a58a5e4188882e0096bf9676b2d7c29a85c95db95751fa6d6616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
fac73a802e572fb778db1d6c4c006f95

SHA1
40e8000f018eda5974425cf7d663c3fa6c92822e

SHA256
edb940746c74d5d4216dda0b78363970a2bb37a7e851bbb50b5738b895996fe6

SHA512
d23fc567e50a9301dbb26e0c7351b502eb97a03717072f4bba0a6a8003a630f5a0262ef32427ca1d406dc24df6eac3cfca18a551b0115e271a5560fb431d800e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58268e.TMP

Filesize
48B

MD5
b794edd60b22a4eb2d9b6c7f4fcf6941

SHA1
669f965562eb265df6d38022e8727964b2691e48

SHA256
ebe97fabf7d5483aadec50497e6409053cdc1d277a6f5047391aed3658dfe517

SHA512
884333eeb1f26e87e1594016c7206d9c8fea5cc8c33909f8ca626d4fa33082f76a84da014cf7ebe5834af2f6c305c473ded1d1ebb22eee9a8a2162911cdc6ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1bc4b81803ea25b9cb87d6c4ae12a8d6

SHA1
15a1551dc7c49090e44af1d7745eda2495985c61

SHA256
031c88c9ac5fcb72cfe7b1563425c093e12a0d42e20c735316b728e2071d72a5

SHA512
0c57daf507c7f2a994a3d648904309f2c33d3295ce25524e895de5bf99a930dbc091444377e9ad73dfae3dbc9337718e7cdb156a46870d949f504a3d92e37503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fb09.TMP

Filesize
1KB

MD5
e7f34dfa6763d0a869d76fea9fae7a6c

SHA1
40efe1d04c3ded260db76e56153e881d4f095c93

SHA256
f2e3703bbd361bffe80df0826450764b3370083f2473a6d09be8a402a695cb12

SHA512
8fb2d3650348f7bba4f90c2260550ff3864139ed49be8b307abc384c513b47bb5cc977e3caef798c2d540a9bd62a14bde2943cee3c10656c6d880f05d5b40c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
77ab607b4abaae640643a5dfd27815b2

SHA1
74167287aeb7674f1cea52ba2f63e11d23ea73fb

SHA256
884ef2166099f2f464349cd6d5035c1a7538ebc37c2e6bbbdcb8ca9aebd37c63

SHA512
49008f32ea301820f492234d2142604388f227eea05017bc2c334cc2b6dfea0ec3a58c699f88796b57d0d5f94de506a33226817476f92c6923a9f440f5caaf16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b79a8e60a3144184348926e3a0b9961e

SHA1
1d5dc4345143386ef7ff391559a2c1b0a702e6ad

SHA256
abd9ec5a3d47cf8a8f0dc3c01fe8ae95846b2eb4a7b7ed7e4429f0de1e0684b6

SHA512
2c04ad440492f46bf65e1e021fcdd1c45320aa642857ecd4e22cd74f8caf3bfdb2ddc223abfff95289c53926835184f3252e1c3309a074d0b9b63909956eb9a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
277df96a2c9d65b8f14b43afd27cd18f

SHA1
7b5d4d58ff7dd877446e45b69b1e7f6a3bd5b1f9

SHA256
5cd945894ba70494971f30e917aaca2e98594d1cbce4f07eb30147b342f3e1ff

SHA512
320c0e69d628a071f7996207f86c035d89f3b3821b5e8495b3671d9da040f1c0be01100dd8f28d8d8644b2b6e353303c7d7cfc70c6e3c9a209c4e2580fdd0177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d859efe866fb18468fd849b10a19f641

SHA1
8f98f104e0539786d2e9f8bca1948cee8466c0b3

SHA256
5aac200bc7f31c183be7ef5c857a5ecb944d5f474595fd35f5521b5795055ac7

SHA512
fd8291964b8dec4888b5145c07680a7c1b73ee52e026e437e7fabc3c32b6ab9e40cece5ef2b9fd7cadf2e6440dfd322936900e0780e3f80673ab1d1877c66720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_thy3gk35.whi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Basic Nigga shit.bat

Filesize
594B

MD5
732934e81e3bb431f01edc8a8877be02

SHA1
55d4c0c8019d7010a210d0c3b266ca2704532e91

SHA256
68581cd6e309ee7fb59a5cfd7922ce3af8fd4976c38a9cdf022ad82b3e61af6d

SHA512
145e3c25be6875204b635663771bb1fbcfc77f8d12c447873da646d6bd35990f2dd538ffc349ae85b42652a0dfe2ed85dff4a465f567f4712c0a611ccf11afc3

Download Submit
C:\Users\Admin\Desktop\OpenPort47070.bat

Filesize
579B

MD5
e130dfa59b9fc3ab6088197bbe40dd93

SHA1
7e376e6ff51dd6fd2620a9a9f3c5482cde45b351

SHA256
e1e743e138ed050ab8bc1f76ea7ff88b0d533870047d19204318499c8c88cfa2

SHA512
02b6b63c9d86f92774f4e85e9cfd8a055d958dd4c2d16a9a9cb765e8f267e3b1bed7bff304f39fdf61a0ef1e441b851bad1e26ca2af576c8a1459f363163d59d

Download Submit
C:\Users\Admin\Desktop\OpenPort4782.bat

Filesize
578B

MD5
6bf40b3e2356b26bd4cb6dc373ccfbbc

SHA1
fc3999705f0e5966629acab92c5ee8e106ee4353

SHA256
ea764ca9b6ebebdc2b7d904438632a3bb9474fa4413b0da7454ad544796f2db9

SHA512
35486de07e0ba8757d9237489488427ebd9f2d934f6132709f340ca5316312aa7aaed0581e7c4c89bb50693a1a6c15fbbf33d4088367b16ea9d97a0051e6d7a9

Download Submit
C:\Users\Admin\Desktop\Testing.exe

Filesize
3.1MB

MD5
db959977d9acce58e61aa4ef12821dce

SHA1
7e50e26cef4f9a717401d84d8550958bb074ba76

SHA256
21938faab3c33d56e889851cb0f81046154d14be56847374948879b6a19fb4a7

SHA512
f52ac84c3eddf50deed156fcfa291dde981c4179aea1b72984791332389d8add9b68d541a47bfdc3632fdf745d6f0e1465c74187a9057ee5cb570a63e2b7955f

Download Submit
C:\Users\Admin\Downloads\Testing.rar

Filesize
1.0MB

MD5
289ea55162774e3fcfb829e31a621a05

SHA1
b129d0b6d9f3d4ca2e71a59997258dcac6679293

SHA256
6f53594dbef2a88901782608ddfde6508429b8836eb9895ac2fef53cd014cd53

SHA512
357a7de94b2488cf1ffd8ad5d8535033b77ca549a68ff10c39d62ddcb69a7079a2b4d044e92db83a53516b219564340fc589b26de72a1f7756ac74bad8556dad

Download Submit
memory/2608-410-0x000002314FD90000-0x000002314FDB2000-memory.dmp

Filesize
136KB

Download
memory/3520-466-0x00000000007A0000-0x0000000000AC4000-memory.dmp

Filesize
3.1MB

Download
memory/6052-473-0x000000001B730000-0x000000001B780000-memory.dmp

Filesize
320KB

Download
memory/6052-474-0x000000001B840000-0x000000001B8F2000-memory.dmp

Filesize
712KB

Download