quasar | hxxps://github[.]com/Hello529648/github-dont-ban-its-for-test[.]git

Analysis

max time kernel
130s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Hello529648/github-dont-ban-its-for-test.git

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

Client2:4782

Mutex

QSR_MUTEX_RH6ctD844WCagY5nuM

Attributes

encryption_key
nyassPD33yuypk3HMAZZ
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	104	ip-api.com	Process not Found
Key created		\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
	78	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d7a-203.dat	family_quasar
behavioral1/memory/4556-275-0x00000000003C0000-0x000000000041E000-memory.dmp	family_quasar

Downloads MZ/PE file

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 13 IoCs

pid	Process
4556	wawenoKey.exe
1500	Client.exe
2452	Client.exe
964	Client.exe
2452	Client.exe
2808	Client.exe
2208	Client.exe
3236	wawenoKey.exe
2740	Client.exe
2660	Client.exe
1180	wawenoKey.exe
1580	Client.exe
2592	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
57	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
78	ip-api.com
104	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wawenoKey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wawenoKey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wawenoKey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2184	PING.EXE
828	PING.EXE
976	PING.EXE
828	PING.EXE
3156	PING.EXE
2128	PING.EXE
4988	PING.EXE
1408	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	wawenoKey.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 283990.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	wawenoKey.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	wawenoKey.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
828	PING.EXE
976	PING.EXE
828	PING.EXE
3156	PING.EXE
2128	PING.EXE
4988	PING.EXE
1408	PING.EXE
2184	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
5020	msedge.exe
5020	msedge.exe
32	identity_helper.exe
32	identity_helper.exe
2776	msedge.exe
2776	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	wawenoKey.exe
Token: SeDebugPrivilege	1500	Client.exe
Token: SeDebugPrivilege	2452	Client.exe
Token: SeDebugPrivilege	964	Client.exe
Token: SeDebugPrivilege	2452	Client.exe
Token: SeDebugPrivilege	2808	Client.exe
Token: SeDebugPrivilege	2208	Client.exe
Token: SeDebugPrivilege	3236	wawenoKey.exe
Token: SeDebugPrivilege	2740	Client.exe
Token: SeDebugPrivilege	1180	wawenoKey.exe
Token: SeDebugPrivilege	1580	Client.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4840	5020	msedge.exe	84
PID 5020 wrote to memory of 4840	5020	msedge.exe	84
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 1540	5020	msedge.exe	85
PID 5020 wrote to memory of 2800	5020	msedge.exe	86
PID 5020 wrote to memory of 2800	5020	msedge.exe	86
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87
PID 5020 wrote to memory of 4968	5020	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Hello529648/github-dont-ban-its-for-test.git
1⤵
- Quasar RAT
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec77846f8,0x7ffec7784708,0x7ffec7784718
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2420 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8408663501584522838,12950354403890175399,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4188 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4988

C:\Users\Admin\Downloads\wawenoKey.exe
"C:\Users\Admin\Downloads\wawenoKey.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4556
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S6AAn7mClej6.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3720
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2128
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIFUkNF2s8SH.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:628
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4988
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DrZbqs2oX8Uf.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1408
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L647AM0bB2JY.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1cmlhNTjpQx8.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iDDu6bHdsiGI.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:976
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660

C:\Users\Admin\Downloads\wawenoKey.exe
"C:\Users\Admin\Downloads\wawenoKey.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:3236
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcMj9CjiBO5a.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:828
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2592

C:\Users\Admin\Downloads\wawenoKey.exe
"C:\Users\Admin\Downloads\wawenoKey.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:1180
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykQnKP4vNKZt.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3448
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3656
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ccf4532-cdf2-4620-b5d9-6b0741fa4338.tmp

Filesize
6KB

MD5
0f60aecb5486cbf63429572f14622556

SHA1
38bdce4c6e13ec6f42421636d517ad656cc8aecf

SHA256
03e0a70f04e6e83632542c02df7b9e6f24d1d21a3fcb809f7bde24449b85f95f

SHA512
62836fc8562ca82bb2bffa65568ba6bcfa628a36905bfc40004438a5f05a51764e00d71538a0698db4d732d51cf1c4f38fd508deadab1eea04c959eed580fa26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
678bc07be2eb722624e4b503a72f289a

SHA1
a03bc5ba9cb60eff9438f523e749d29c4efb08cb

SHA256
8157bca8f664650e407974030a98361aa1c5dc111580b441fd06607bd13b4d19

SHA512
65fc4e73115878fbcfcdb3ed616be828a3041ca85816e65d8be7b0a2cb1a10133fdf3e79bfa5c133a605d3577b64b84dfd779bd4e0caf67ccf07e8cfa0be1971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
811f24a27c59c69ad7582e53120708ff

SHA1
03600921c588dcf427ae9f0bdae6d0f723483794

SHA256
e681eb8599e4e1110dab919411450c3f097edc884d3729c05788b6f0e341b203

SHA512
caefb25133c4b63ef3275176c58c7ea5c20469edcd6ee45f63317e248ecbaac9ea5603d5a2f7ed5ba2886c18951ca637e04a0d1f9df2ffcf707337ebc9ed53ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0d3f14321228387910ab70340c792fb

SHA1
b91a61349f0ffbda684bd95161b0c7e0af4e2568

SHA256
1fb0638631cb32d26e39bc365e51efa70657d2e0736a4e15621bc0c05f2767ad

SHA512
8797849a03b4e64a89a16466b59043b7e77efda88d6e503c926836e2845ff9f2fc7269c6fb57a2177fd1b70d0cff4b1efcc3259eec6594210479d4bb4e85cee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
24866de1e034c61af46f6842d8ce7fb7

SHA1
7f4de812700da05918e19033f7e3cbd715145c2a

SHA256
ff99ee0e429f99e141d10e048db2fe4677a54c4463304f2b809bd6968c4918ba

SHA512
277e8ecef31a2e0f43ea2a93731f0c6203eb112513948b750c4771136df4130813aff7584719d8c6f0862f0f07c3888ff1b2da0d122e64d8dbfb347fb9feec42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dcb6c458d3f48470f33da9067e71c214

SHA1
c8c26da4ad82673bc6bf6de2264efb09de974b24

SHA256
ca56442567f785991e9c3ab40bf16864241371eaa87c99daf40372c910af01c8

SHA512
deac2bccf8d73175f88eb117cb9ffe5eaaa0e6003db17baec79626a3a01e2709b605ff70d1e5ec24c117047cde582341b3e61142aedb93e761143ac5ef7f7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5dff5e2cc7d17090d706f1b2dfea80f8

SHA1
4d03555ef9c7df0a79d37ca712f1cffe0be23d8b

SHA256
c96300af3a74b45eb15ab665da8c6d8201143c14514601bc316dbe312b5e0faa

SHA512
0d42882706be0a40c46a436f8528520f479dbc9052514e12586690778e7237923fe2d1ab338f680cab06917049ef075128ff881fb4fc0587f77e201200af79e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58079c.TMP

Filesize
874B

MD5
a65b8db0742f9d93084379b7a068de69

SHA1
0b16c6dddf1fe77ca03f1dcca93e9246e9e9046f

SHA256
4eb9d0b023ef0fa6010dd52d53af020394b7171ddab8b3c8b1d4418cd8e9ecbc

SHA512
08ec10c9769d15d18e1320e2cc6fd0c025af8cc634be49a7b39a75eb294eeebe31aa88796b706fa2256d5663027962ebc3f6e27c9c91b03d78d2b909d9ee77b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8d933d19235b8c709447dd6c068b43a5

SHA1
f06c857b3cdfbe2f80ec027afe6b2cf5e1525e79

SHA256
b3e9d3108bbd4bb0232cb35e7d0bc7f322602763fc8514fb6bf397605b153d76

SHA512
2c762295eb08446e4a27c957b401ef4254d5859db47b5157b60719d2a9a99f47b3c92c2713516f3af33bf991786b85b21563c2c44bf81b60d74b5fd8ec38aee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f2e28cd30efb6783f72aa30a662a4b84

SHA1
a18a9b035b8e55e94521d0aeabc93442f712104c

SHA256
3befb45f1a9bb88426d80029222a0151a2668f2c2061db1dff21bf8e60746c34

SHA512
0ae0460dea964f6831c38c4c4d9a6ecf41ba09de02aef7c451096f2f398f81d39458ad60bed51718d6c8eb2aa611eded8e99625ed6e881df0692059828df110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cmlhNTjpQx8.bat

Filesize
207B

MD5
278151b269d76e862924748772242eb3

SHA1
286ed0684d0bb2e7bfb1c650425a4ed618b7dba0

SHA256
2a58e31260c0ee9364761efa18df9b94bb2401fb7568d3ce3aa27bd0566fa0de

SHA512
98a618894f7adb31aee56f721844f53519dd523c5925c0dfc011777436eaed2b8833a71167ee8894bafe95408cf665c5e8ff73fbbd1191b8ac01c5f79dd22a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DrZbqs2oX8Uf.bat

Filesize
207B

MD5
3ac2aa95b46424953d46479b22ddfda7

SHA1
19797ba63de635c5d89dddf6b8b908d3d4076846

SHA256
68253eaad0a850a4aecdd574f900fd3dc59004878b76919e3993afefd23a705c

SHA512
fc79dc8ff4eedabd81b5152797cafc0314dcc11c1594c27acfec2ae519b2be8e15b408db3ee286f2fc6124e22cf049fce6da707b18c156a41d1ea5f81ffd5dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\L647AM0bB2JY.bat

Filesize
207B

MD5
4f1d94e8870aa2d926a940d96e279bbc

SHA1
49a42e35b43d34a5b4754aa2c478eaf792392fe7

SHA256
b900a333ea178b7f9e03d598937167a4eec5e7b38bc98be6b92f85a05f285389

SHA512
832c917ec00023245ea5b4c02a0eff2a50966ab6a9af47c206af4d423841f566ff3b7778d1f5d451e4f8c3ed18522b7bee1032f43d25db75e31a237b9b7759bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIFUkNF2s8SH.bat

Filesize
207B

MD5
710ddd82014c0fce03eb7f3ae3f720bc

SHA1
b7d41ba9c5575147816bc076f7ffee03718485ab

SHA256
296556aa5c3db54c3e916ac1a7fc198c927d666ddb8dddb89778b4f942ec66b9

SHA512
7b8f21c463f7c54c6af16fd78af0a8c62901b3893d21fe96484e1dac1dd3e25bdabcf195ed482db5cc1f8efb406fc2009e5c7b0becc8aee64b3dd931ff8d2a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\S6AAn7mClej6.bat

Filesize
207B

MD5
941068101ec5b0ebe2b27039c19ccea7

SHA1
8d7bc43c3e824f911aeff811ba8194383e431203

SHA256
d28a862414646b62b0d99c0612450d21695daf416f63e68c695cd2e000a609bd

SHA512
a72f07ce1c8c6b34ae76dd0c13b73c3fd1564ef3f0cc5e97c836e137c359bd36cbc358d9e5435be451cfc1295f74709b0d8886fe06e4d7c9f9c50ecef58410d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcMj9CjiBO5a.bat

Filesize
207B

MD5
fb4c6ad3c5c4f6e158da27d447756176

SHA1
46783ba7747809544a01ce25f63371f90a51db43

SHA256
230cf39ecfe54128601a2a957c88309b79a8d6556328ceca279759ccd17150c4

SHA512
85602686319ddd2920f51c8983268bb6561d44d080600a54200ebe329df120ca9f7cdc739302023222d55b783c698c34d369b450fe3da92bf668f8bc9576322c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iDDu6bHdsiGI.bat

Filesize
207B

MD5
44728037d7dcda90a5817e4d04a2e63d

SHA1
5a034b504f0ca47c37e009aa185e9fd7e35b4688

SHA256
fe28703dec31e7d832e0edb6ff4cb5d5f1eedda34ce5f13715d56f27cd2e9b78

SHA512
ab602386880add505f1af3e4e7ef77288096c89bb38fe51dc888023749d702d41d5fae1c25a7fb077c2e48602c099e7f46423ac905f192f6a32de2356362ed92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykQnKP4vNKZt.bat

Filesize
207B

MD5
4bce21d3f7d0fb0d8beeeb2ed2e1da30

SHA1
7927aa063e17441a2fef50c61fb2aa53b17162eb

SHA256
12b720f67607dc8921c1e0550c63df6990624b7c464a5a25ae02a54ba61d0650

SHA512
e425dcac17f3e0ba9bf8d6ece7dfcfc77525dd561870d6b322020ba474a669f3f57c04c3b5e64539f54ae1d0336b9ea0c95684654151882e293ce453a9437479

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 283990.crdownload

Filesize
348KB

MD5
19cde915d18709c0de2e5acd6acc41ce

SHA1
5478e37f33533ccb57b73c94e613f39f95db3e06

SHA256
f1bcf4d98fef3665492ca5fbf5296fa06a4adb2b3b9681b110a148f56ed1aaf6

SHA512
a1bba884336a8e7a370b218ae70427d791587c25e2e9f52ee59459df1cf60bf7ef8a488e1d159c9b501329d7049349637a23d5b2e5fbe32e4a6fd1884c0b068d

Download Submit
memory/4556-280-0x0000000006090000-0x00000000060CC000-memory.dmp

Filesize
240KB

Download
memory/4556-279-0x0000000005490000-0x00000000054A2000-memory.dmp

Filesize
72KB

Download
memory/4556-278-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/4556-277-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/4556-276-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/4556-275-0x00000000003C0000-0x000000000041E000-memory.dmp

Filesize
376KB

Download