quasar | 30adee2f7cba21cc4a48c262c26a34846c5f094182934402b6195da76b4b8f5e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KAZZAK Nova/KAZZAK Nova/Installer.exe
Size

3.1MB
MD5

c85c392d4f402f6d1efe69a397874fc8
SHA1

d7bf20fc60a832f2c101fb47133fde314c164427
SHA256

e33a67ca41bd7f1dbe94489e953d2a6d720dccd5fb82d62353946a193be862eb
SHA512

605c12a4140fb1a18f76112040704c9c41a7b78b887324b12852400b56ab1c7e20d1587dfdc9ed62de1480eecaeb0e5b6f845157637aeecc429bdd60a068c971
SSDEEP

49152:3vrI22SsaNYfdPBldt698dBcjHZTRJ6VbR3LoGdkTHHB72eh2NT:3vU22SsaNYfdPBldt6+dBcjHZTRJ6n

Score

10^/10

quasar office04 discovery spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

kaziahlds-23371.portmap.io:23371

Mutex

04d20254-5898-4b4a-8396-e1aacfd3225f

Attributes

encryption_key
1127B18519097512D1F8F01C3CC393354B9F8404
install_name
Loader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
KAZZAK
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1188-1-0x0000000000190000-0x00000000004B4000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023c92-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2196	Loader.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133827612405427148"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
3944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
5056	msedge.exe
5056	msedge.exe
3596	msedge.exe
3596	msedge.exe
5152	identity_helper.exe
5152	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	Installer.exe
Token: SeDebugPrivilege	2196	Loader.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2196	Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2704	1188	Installer.exe	86
PID 1188 wrote to memory of 2704	1188	Installer.exe	86
PID 1188 wrote to memory of 2196	1188	Installer.exe	88
PID 1188 wrote to memory of 2196	1188	Installer.exe	88
PID 2196 wrote to memory of 3944	2196	Loader.exe	89
PID 2196 wrote to memory of 3944	2196	Loader.exe	89
PID 4544 wrote to memory of 3064	4544	chrome.exe	97
PID 4544 wrote to memory of 3064	4544	chrome.exe	97
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 1624	4544	chrome.exe	98
PID 4544 wrote to memory of 3012	4544	chrome.exe	99
PID 4544 wrote to memory of 3012	4544	chrome.exe	99
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100
PID 4544 wrote to memory of 4336	4544	chrome.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KAZZAK Nova\KAZZAK Nova\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\KAZZAK Nova\KAZZAK Nova\Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "KAZZAK" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Loader.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2704
- C:\Users\Admin\AppData\Roaming\SubDir\Loader.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "KAZZAK" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Loader.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.met.police.uk/advice/advice-and-information/pn/pornography/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd360946f8,0x7ffd36094708,0x7ffd36094718
      4⤵
      PID:1892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
      4⤵
      PID:1580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
      4⤵
      PID:1204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:4732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
      4⤵
      PID:2768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
      4⤵
      PID:540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
      4⤵
      PID:3988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
      4⤵
      PID:5312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
      4⤵
      PID:5320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
      4⤵
      PID:5532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
      4⤵
      PID:5540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
      4⤵
      PID:5992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
      4⤵
      PID:6072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
      4⤵
      PID:6080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2208,3155640493621189269,14773186277001064474,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6292 /prefetch:8
      4⤵
      PID:4720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://twitter.com/
    3⤵
    PID:5912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd360946f8,0x7ffd36094708,0x7ffd36094718
      4⤵
      PID:5928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd3632cc40,0x7ffd3632cc4c,0x7ffd3632cc58
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,16577316808236751981,7606012165978368544,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,16577316808236751981,7606012165978368544,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,16577316808236751981,7606012165978368544,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,16577316808236751981,7606012165978368544,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3448,i,16577316808236751981,7606012165978368544,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,16577316808236751981,7606012165978368544,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,16577316808236751981,7606012165978368544,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,16577316808236751981,7606012165978368544,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:1708

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\46c47782-5d95-440c-8330-697f5c31ca74.tmp

Filesize
241KB

MD5
d0f76e2a7093d00a07b886b0c6106f0c

SHA1
011ab0f4ccebcb3272bc4d9e9472eb56542f524a

SHA256
506f9c9581b8bb03a8cf92ee98e31bd958dada2d7a0352426cffbc67d05251e4

SHA512
2639ddb06b3a9003ef42ca97ba3886a084a6756ba92503d11dbe0ae9d3167c75a90f976a2644c335f90dd418f005094662db0da740c79f1f5982b49762252c3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
795aea49953f9374efa238ee10379c10

SHA1
e78918df9680f3f36f9c798f1c3f3b182f630f1d

SHA256
73aefc5c03ae4fbfbaa5b36ae3ce64a350e45c3e9f75f19f97a470984452ec29

SHA512
36e8af6ae65d26e926064d288ff1c744e4f6c7dc0e07ff1f96cffbd0e58a28bb3c5e6ae6409814121fc913fcb0dd0eee3d8d23c130febed61116cd8251a4d676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4d3e21765639955ce8f6e888457bdbfb

SHA1
992604ee868fee354b38c0323f8dac6358a875b5

SHA256
4c2d0ce5f03349123b5261743cd7ce201762b5f86c363f30dbd111592635a91c

SHA512
a5d17f0e14f68e0b787d4b9ee21cf864bcee7845a592942e26e8ef4ad9a133bbd54a8c13a819499697b0333307a21b3e5145927e1d21cccb255d42a40a56f0b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
44206da0557eccbfe94298c245d2d080

SHA1
4946c7085ddcb29329baf70ef744267bc54ff463

SHA256
944592aa519efc5ecab2029b403417b21eae674be31a8ed389ac774cbb2d0ea8

SHA512
168c435d7c216702fb4bdd1026d2a8d03ef24b0a067ac5af4b538134a3451825923955f0669525f108d365305d50ccc39171d1a7a15ecc523912d04edb15dfbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a3399861aca01304b820fe7c13b50a4b

SHA1
4fe79bdb677ce603145953e3a376386ec6cd170e

SHA256
d6c7c3287ffc7f18b09ac71519ad24d78924fafdded1b7e98b1cdb0c4e9beeba

SHA512
44f315faba8fd18f6e1f8632cc97cac3ba9bdd760671d23a57c9c53763c6354ff5108c8829174d2198c1ac3b22b94ecb7843819544c2994b7243c623de83606a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
780aff9b6dbff8c46988a0f14a049e08

SHA1
0f6d515ebcb487d70b6de67eaa47e26f94e15eb6

SHA256
7f11c3df0e721b9c9ec1033ef96984e05eb77b5e604d74d4fdcda6a9771aea6c

SHA512
8dd6f33da637c121f20ad6bc9c0c46ac42c4ec6ab4d72214fd8935274569bee582cf2aea747f67927799f1e617be3df89491dd4eb718096c55ca55224ab4a1b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e2ee423d8a65c4c118967d8968601d97

SHA1
0988e897018e3516b7e2a8e076fdbc9767df3557

SHA256
d17f224765551f25980ebfbca6ed5bcdb924112cb65755d95b764fbd38faa5dc

SHA512
79c9dade52b59d37f799494429fcd59296ea5a01dead84dc9724407fe966d36d5554779d332cfb89b76f00474bfa3383f2953e0d7da74d3b30446ed6e253f50a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4629d287619e03e76f91900f6e0daa69

SHA1
ef1b1c765e707e9435ce20a94ea66755348450ac

SHA256
2e8a0da522213d4f2071aa41c2cb32a6b2b83aa4aa0f8140bbf7b74462406353

SHA512
8efd18e4b0e27c60a1638cdac2c7b00107341cd278fe7325021ccfff8195a848890b6eebad2e8008b96bdd4df1d65f9876364be2cfe084ceb85246d9c16cb361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
957fb6a093a2ef18316b9e28889c1d7f

SHA1
43273a34f73a63b9588ea8a15c8c7bd12905b130

SHA256
58bda3140cbe2fd8ebe8082c670865027a7a3c86e7b22347f62b3d45ddf81299

SHA512
caff61ccf111f42604aeeb8ed7f10ce5bc41443b6b72c9dc90f0af146fff206337202a0c2ea635b97fad094093313133ac4c30e74d380e9555fc802138a75af2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4f066d49e0db0bd413b0fe844e47ef21

SHA1
d692c2895e6d49ea100df125501d9cfdd0ab2f64

SHA256
8612a631a28b0de6609f4809b1bb92e7b8370d299c419ae148379501697e0182

SHA512
eea0abbd2dc9e000452448bd4eb5cda646d2bc99d12697a205297d8094acdfde29894c596b2d66a12d79c2abed9606778d36c03cd8b56ed5bd5aaf9192404845

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
241KB

MD5
35fbe33bb84f53b180863205acd8e44e

SHA1
d4dd1cde9814c5eb5f1a366f82677729d12ec746

SHA256
0f44733bfa9aaf9d3be00eb7f0062001d288a8e752ed5798f1d3712ed8e60a26

SHA512
20f16c906d8471c89dbd4e5caa785339f8b1e6fa7f971548219d21657070e8a8d803ffa392be5105cf6854817f4bc44540545ecb14dc5a9f2e20dffc8c11de57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
709e5bc1c62a5aa20abcf92d1a3ae51c

SHA1
71c8b6688cd83f8ba088d3d44d851c19ee9ccff6

SHA256
aa718e97104d2a4c68a9dad4aae806a22060702177f836403094f7ca7f0f8d4e

SHA512
b9fc809fbb95b29336e5102382295d71235b0e3a54828b40380958a7feaf27c6407461765680e1f61d88e2692e912f8ec677a66ff965854bea6afae69d99cf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bc29044ff79dd25458f32c381dc676af

SHA1
f4657c0bee9b865607ec3686b8d4f5d4c2c61cd7

SHA256
efe711204437661603d6e59765aba1654678f2093075c1eb2340dc5e80a1140f

SHA512
3d484f755d88c0485195b247230edb79c07cc0941dedbf2f34738ae4f80ba90595f5094c449b213c0c871ade6aff0a14d4acfe843186e2421ccbad221d34bf54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
d4c62093f7725e41eebc61557ca9e872

SHA1
965437d83ff8bca43d0343d28a6a4081fec9f222

SHA256
f02c966d546aab4c38a3e7106d56603cdf9b8df0363fb7e59dc859c629e1244c

SHA512
7346a0739aae49bde08dff57a944f46d40a40c335f37263f6be623e7a628b82cd63f0fca1b447d25de96bd482597bbc88b722d6b474cafb42d30cc6a1553c9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00bb0870da6576a2cf6a5bd768bed140

SHA1
d6b0ee47ea903662fe28d0851e50fb1580ac7c19

SHA256
81f334254abbf9ebbb43dade83e992ead5f2a01fa94e1fa842d7d40bd9335252

SHA512
87777c0f72503d25e17fd20df4a1c232b89f41b5987046e8c68200d4dc3f4682bf70542de3b384ab0929968d9fc60558a9882a65dca9fdc4886d5b9ab2ff8eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c28f2b52804359346f49d57f185dba08

SHA1
dcdc94b9e2a0ff72f6a6a8ebdd419e84f3983e61

SHA256
99e2db468f60169730f7dad0931eaa92d8d8848979974bfb95ab4ae3c5587cb1

SHA512
b6635a149c96a1037341a4fb825985b54b34cfcc657b3b02e371477f3c3e85b120ef8fabbd1de7505693a377538dd7e5a2d32856887be47f8ec33881a98d8aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
991fbfb61f62adf31c2c3832dcbbf522

SHA1
973d6416c6ea55564dc27996999ae4c6d0d707a8

SHA256
44ef14c6dfa0328e95781c1ddf9173b7a9d7fc15accaa4352e7817f8fc7da6d0

SHA512
b1ab91bbbfd62118ef8e1527b9f75b660962997768ed4887e875a141c4f8793c3164e415d0055c9dd155eb23a2135c72caba23076f14238ecac77977f9c4a819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f529af155f00f99447bb5f75c10cb3b

SHA1
4bf4b3b08da8d8bc0e2263c811238f29e0fd7ba0

SHA256
479bb4c8f4bc1c59d446cfed9668c3f75f8f78efc0ae0bc1e8e825682048aa1a

SHA512
237238e79346896118637daf4db593d446032159b6a6ab1ccf5028f690bb9e0e2a265161800c922bfa4b0b2dec6041e2b703604e2e8b34f95b1290ead23ab892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59fb7d.TMP

Filesize
204B

MD5
ad0dfb71ba6c7763883df5bd2472763a

SHA1
bd22956a6f41dbab84b8366b7fabbfc752ef26c9

SHA256
d2733f208ea1f0375906fd88cab52497241f7d3267a29224ff5e0758409405ff

SHA512
3277877782e8519f86432990b5f2f052bf4e6cf97fb77f5e38f7765fb189c08727e3e69fc3f6a0b8973b39fe2ed6aec3fcc79c6b562f6243f8c9ef061538d730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
90c462db154bc2a24c5ae0daad3a02e2

SHA1
d329f912a46e5892d90350b7dcda5c262991250d

SHA256
06a8411f8c1df4e3e9eaef9962b3e601fe9b1eeb7135afab41b760d2dd49ccb7

SHA512
14b7478e24fb7bd99e19cc257e0503162afd6b45bacbec01fe378718d6d4e0a0cbe78c48debe6c8839124575d4913717ea50042008980d25900214a3873d8281

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Loader.exe

Filesize
3.1MB

MD5
c85c392d4f402f6d1efe69a397874fc8

SHA1
d7bf20fc60a832f2c101fb47133fde314c164427

SHA256
e33a67ca41bd7f1dbe94489e953d2a6d720dccd5fb82d62353946a193be862eb

SHA512
605c12a4140fb1a18f76112040704c9c41a7b78b887324b12852400b56ab1c7e20d1587dfdc9ed62de1480eecaeb0e5b6f845157637aeecc429bdd60a068c971

Download Submit
memory/1188-0-0x00007FFD26FA3000-0x00007FFD26FA5000-memory.dmp

Filesize
8KB

Download
memory/1188-9-0x00007FFD26FA0000-0x00007FFD27A61000-memory.dmp

Filesize
10.8MB

Download
memory/1188-2-0x00007FFD26FA0000-0x00007FFD27A61000-memory.dmp

Filesize
10.8MB

Download
memory/1188-1-0x0000000000190000-0x00000000004B4000-memory.dmp

Filesize
3.1MB

Download
memory/2196-16-0x00007FFD26FA0000-0x00007FFD27A61000-memory.dmp

Filesize
10.8MB

Download
memory/2196-97-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-96-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-81-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-71-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-69-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-48-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-204-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-19-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-18-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-17-0x00007FFD26FA0000-0x00007FFD27A61000-memory.dmp

Filesize
10.8MB

Download
memory/2196-15-0x000000001C0A0000-0x000000001C0DC000-memory.dmp

Filesize
240KB

Download
memory/2196-235-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-14-0x000000001B920000-0x000000001B932000-memory.dmp

Filesize
72KB

Download
memory/2196-362-0x000000001CC20000-0x000000001CDC9000-memory.dmp

Filesize
1.7MB

Download
memory/2196-13-0x000000001C120000-0x000000001C1D2000-memory.dmp

Filesize
712KB

Download
memory/2196-12-0x000000001B8A0000-0x000000001B8F0000-memory.dmp

Filesize
320KB

Download
memory/2196-11-0x00007FFD26FA0000-0x00007FFD27A61000-memory.dmp

Filesize
10.8MB

Download
memory/2196-10-0x00007FFD26FA0000-0x00007FFD27A61000-memory.dmp

Filesize
10.8MB

Download