quasar | 30adee2f7cba21cc4a48c262c26a34846c5f094182934402b6195da76b4b8f5e

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KAZZAK Nova/KAZZAK Nova/Installer.exe
Size

3.1MB
MD5

c85c392d4f402f6d1efe69a397874fc8
SHA1

d7bf20fc60a832f2c101fb47133fde314c164427
SHA256

e33a67ca41bd7f1dbe94489e953d2a6d720dccd5fb82d62353946a193be862eb
SHA512

605c12a4140fb1a18f76112040704c9c41a7b78b887324b12852400b56ab1c7e20d1587dfdc9ed62de1480eecaeb0e5b6f845157637aeecc429bdd60a068c971
SSDEEP

49152:3vrI22SsaNYfdPBldt698dBcjHZTRJ6VbR3LoGdkTHHB72eh2NT:3vU22SsaNYfdPBldt6+dBcjHZTRJ6n

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

kaziahlds-23371.portmap.io:23371

Mutex

04d20254-5898-4b4a-8396-e1aacfd3225f

Attributes

encryption_key
1127B18519097512D1F8F01C3CC393354B9F8404
install_name
Loader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
KAZZAK
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/536-1-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar
behavioral2/files/0x000c000000023c59-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2068	Loader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5892	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4168	schtasks.exe
3084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
1460	msedge.exe
1460	msedge.exe
2296	identity_helper.exe
2296	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2068	Loader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	Installer.exe
Token: SeDebugPrivilege	2068	Loader.exe
Token: 33	2864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2864	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2068	Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 4168	536	Installer.exe	86
PID 536 wrote to memory of 4168	536	Installer.exe	86
PID 536 wrote to memory of 2068	536	Installer.exe	88
PID 536 wrote to memory of 2068	536	Installer.exe	88
PID 2068 wrote to memory of 3084	2068	Loader.exe	90
PID 2068 wrote to memory of 3084	2068	Loader.exe	90
PID 2068 wrote to memory of 1460	2068	Loader.exe	97
PID 2068 wrote to memory of 1460	2068	Loader.exe	97
PID 1460 wrote to memory of 116	1460	msedge.exe	98
PID 1460 wrote to memory of 116	1460	msedge.exe	98
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 2028	1460	msedge.exe	99
PID 1460 wrote to memory of 4968	1460	msedge.exe	100
PID 1460 wrote to memory of 4968	1460	msedge.exe	100
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101
PID 1460 wrote to memory of 1832	1460	msedge.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KAZZAK Nova\KAZZAK Nova\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\KAZZAK Nova\KAZZAK Nova\Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "KAZZAK" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Loader.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4168
- C:\Users\Admin\AppData\Roaming\SubDir\Loader.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "KAZZAK" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Loader.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pornhub.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba62846f8,0x7ffba6284708,0x7ffba6284718
      4⤵
      PID:116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:1832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:3468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:4324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
      4⤵
      PID:2864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
      4⤵
      PID:2908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
      4⤵
      PID:2952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
      4⤵
      PID:5048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
      4⤵
      PID:4992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
      4⤵
      PID:3092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
      4⤵
      PID:1468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
      4⤵
      PID:4076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
      4⤵
      PID:4408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6068 /prefetch:8
      4⤵
      PID:732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
      4⤵
      PID:5192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
      4⤵
      PID:5944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
      4⤵
      PID:5960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
      4⤵
      PID:6124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
      4⤵
      PID:5604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,6533992974613629104,7907856876560182504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
      4⤵
      PID:5048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\nigger.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
65a84cd7925378cc74972cc4e677ecef

SHA1
30b4da4c5dbd0cc77d756d270ad260ef74987ccf

SHA256
7be0a4cebd74cb4d879e3f9950f5ac5a05acc3bdc415bbf9d3dd691cccee2cb5

SHA512
ef142224cc0b94a1c5585836988a0d544e7e8b5e8573a1893c9fac528a1ccbbab6c9c7acaad7cfec1a415544bbdcdfd1d0c5e0a0819cb94107fd81989df18704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62e6ffe7501e581c80b178323e921b81

SHA1
d0881a3d0aee1c256291d34a90e3092fffa60ce2

SHA256
a4f50a6b36e27013a694382c996a1d3059d38310a138f21aa25cc682be5cb0e5

SHA512
0c4e34fc9a7c5308b1cd05ea71d78c75a9fb85267d7f3e5616dbc1390794941eb549bcc70f7430046ca79cc0055edf0bd51b8eb43f84ee42163dd34d612ba137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
28KB

MD5
59357e34d8432ac6b757f8b4d88ff06a

SHA1
15e8869a64812a23a8192f94b029806eb5d4ec12

SHA256
21f102e5df82464c7bfa5ea7f0f40b8e33b357a72cf399b7fa39767f0231590a

SHA512
b098d1b3106afa6097244c81a76792f7bc8d95195e2fbe0aff0414cc508d24f06386947aac38c65f81acd79593e1ac06ed8ce4c387d70f4b4fd91e7fd34e1f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
67KB

MD5
a3a5e471edbc3b6837ab93c166b0c63e

SHA1
cfa7e1b829c800a78e6140062c0bfe85f1cff4c2

SHA256
4a64a548793e06b80b17b38dab11f36a62ab60e927848276000ea18d8a5cea64

SHA512
db9a1e38414b49d9f94fe0361d6398b62751a1e3deaf80e83545678925e62acdc2e25e2e8e5ad799bc672a5c3fe8af7870a3e21d9bdc3fd70d8e7178c1907cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
88KB

MD5
e53a874ec2fda2802bcb486cbf99ad82

SHA1
15e5752f5407e831c8c3f48abe1757628da670c8

SHA256
c5ccb7c83fdc677bce330d281a0ec6d29db8b5d363267d010235cffc842985a6

SHA512
5ff6bdd69f3dfa7bbecb08f7c5903286c8a19358b93f7dac1eb342e30713787e0039ef5fbf7590ca80ec714035616b71b6d811df32f73ec179611b2c13aad19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
109KB

MD5
ee817410c2a8b22174031d27ad920360

SHA1
c359cb4a31eb2644728b4def9a588ecabcf66770

SHA256
f44ce3c9d1a853e970f6b4ec1748255cb71f9086afa181677b296ba5a1fa2f5b

SHA512
9af4af31b0e0e0d001bd853f2cc67a33b198c706e14c88b47484c754efc88a7718b11533d02091c02d7f97bacb7f247643acdf867c4d366becf0aa984a96e7a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
31KB

MD5
f39f2cd3a8072e9449ba67b8b0be5326

SHA1
b301033172808fa683c89fda200e603d9e118a0c

SHA256
d648eff6b732ee1d3614f3d78c4cc597f61c19bafb45aca74a1a16e2a1128d09

SHA512
f85b3bddd61380d3df4593ceab2b0f7d564a58da874691dcb4a3ec201ddf60281b87f5858f4ed38e26f052a077b5dc1feccb02fdb8d640b126ea43d92dfc23fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
60KB

MD5
5d061b791a1d025de117a04d1a88f391

SHA1
22bf0eac711cb8a1748a6f68b30e0b9e50ea3d69

SHA256
4b285731dab9dd9e7e3b0c694653a6a74bccc16fe34c96d0516bf8960b5689bc

SHA512
1ff46597d3f01cd28aa8539f2bc2871746485de11f5d7995c90014e0b0ad647fb402a54f835db9a90f29c3446171a6870c24f44fb8bbb1f85b88e3ade9e0360e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
20KB

MD5
29be3f4c1685374185295c0577a0fbc4

SHA1
c720338b90479756d89c4c0bd6e1b2c126e741e2

SHA256
84234bc202cd90772c3dad4cca1b2e1330d811546ed6574be8a6dd8706356d80

SHA512
6c8e59a0453b5ea2dfb99dae65a114d5b05e28428fc0b8d0012ed155115137f5f54abb232f7efae0e5c7c9775e7c5e3373c2f582b59c62625206445f1f5d9894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
953KB

MD5
d786fd7a11bf827917e4a833f346fb50

SHA1
9d2f89458b481b159946fd886216a926f109f8ca

SHA256
af7523f4c9e4543e352b9c52422bab7ee725be0dcc7430412b85f665a1cfc79b

SHA512
b3ea25bbf3e0fb968a8d9dd6568af890b4a641199d0d65519a204645483ee3e72fb571c14ac3915efd9655ecbe1bdaffef20045af6cd1b1e804140b7d9613328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b8dd0a38a21ffea5832364adce7c95f2

SHA1
97e082636f26f0505940f8ddeadf8378f7b1395b

SHA256
220e88a9d86d217259efc4c8f0ff67f83744cffaf31e514656e649a55571e1f1

SHA512
495e9bf2364ba1569a0500ef0cbe3a5593b3193f092053762726bf6a2e873595f918c63fcaa2710c6852113e9c672b811b568fb168850d515ec9006652ac54a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
05441d91ee5767d504f8d3631a228467

SHA1
f8a7c9e0dcaac6d48f6e19f6423551d94529bbde

SHA256
e23bf2dc58f3736142a57f7e852ae6ac1deca1d06c62e249aa5decb5486969ce

SHA512
625e3a174d33188192104fce1fecdcbe0f8657e39fd4f0fdbf826633baeffe16fe38476c1cc1675f2af88e0ed002ac7f91c81e76717f1a862151cac1b170dd9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
63aa242a417f4fcdb7ee5ee480f65342

SHA1
bd8e2ca9c9769ea9c5c1a4021cc1fd1a593bdd39

SHA256
696b2a63e2c037b9e47d6f3eb73331121092a53c0ad37732db284e37eecbf741

SHA512
fe6bab1cbc89159e97dbfca87e2ae065e7a09c26e8161daac0f8c8410c175758d3d87b2076662c2374e70a333c405131d60103c5bb4473d13ec062b64b366a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
83c6ec61b70b52fd4e1005bf9ad71577

SHA1
3a7903bb35f22c68ba561f3e915ef1b24f2a35a4

SHA256
1ed61bb9a760c96fb0617c741626be3a6cef122c9077d25fd85b543eb19c2779

SHA512
d894d3f9fbec4442e34d8abc3c7ece061df0fab7caff094ae5825c2f601bcd7603489e2db924112bec719ea9fdf37ed26c3de8d8528d9e47d48599e3e1ee290f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bd0a5645ea58aa59cd89dc6e92fed6c2

SHA1
c53dccac29ac81553a77731531bfaaeb65991316

SHA256
011ee99624fa7ea5847f4219f5fe42ae7d8d6f18cea12dde6a247dbab07d1e67

SHA512
889c4b04a26f8c2901599410284e23f03083f5a516007cad5207a0437c17b293cd2c708955f7991629577dea00d4b90aa329ea04a6a629786ce1d6c53d316846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e28d820e4aebc759a522c5eab232f1d5

SHA1
b867a6f4b5d49d2347cde18a1ea576bc6031c434

SHA256
19e7d2e110b8eaf7cff18788f5339bac06a8a7a4188aab54aaac6b3d8cc1495f

SHA512
244ecba61c7a3d047c616f6555fbbc66affe082c06e7f2c8c1df3ffe0ce31d5adca39239cc976011d966821d13d6b799abb95283f30f8cdaae3a9ac9dbc563e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
636f4b341dfffe2f74e0b7f3062ecef1

SHA1
776b3031304aa7492bac6aa6f611844d55dc705b

SHA256
2edb565a2686ea1a89c46de67986bfcd4ff9bcec76c7dd8c32d4281ad1392e35

SHA512
be447533f63a9ce09b46fd645a8b0e4bbee7460bab4a024ce8b7481059f54a87a463d85cbb27ce5462fa26abb0e032c9867f947433c16620a8b8cde5a113dbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d73ae79652ff700ebda2f623359ab46

SHA1
83b485a8fe892fa2d13aa80db2881cbde24a35d3

SHA256
dcfbc9b0b0b05b9448a2da6aa616d83a32244c787f5c3e850801a7d144c2f2d8

SHA512
6a8416ff3b1eaf8da5d0027134b5aeb60d517f21c0409de469cece0efa035fd9621cf29c7535d5a19ed99d33abf6d74d6d7c3379ad38e0a9970a2a289e2882da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
4KB

MD5
c89036dd1a2758e79fd9260d4f221196

SHA1
0a470ebe5483c27be21971f781f04291d0de2829

SHA256
8a474a6e67004e277e7aed87a8f268d2438bb3656b82ae2804b1fb997f4a7de0

SHA512
a049a9edda5de83c3d7c1786a66134ed4b0f0daf70cd59fccb6a33a290fa7107a89c711e3bb8b034658c59ef962a43a363010a798beff3682a665ef386140c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
2KB

MD5
01b81e6727a0c3d3e219b8f688dd137a

SHA1
92e7ad92b6668d652a7050efb0c70929b8bb6f42

SHA256
5f30973ef9ab691c5697ea9417d276d68e316ea7f7c4941b0a6e33043b4e232b

SHA512
c448cff52e48232afcbaa1c916e60eedbe95df6803bcfccfdf9229f88c66b2698cddc10bca622e9d1086a3c058bb60f1f6a90c38a24de49a328dab1275ee572d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1

Filesize
3KB

MD5
a92a0ca89373d77046d9c5f65015221d

SHA1
f03c7d970814ac6ad958d136502c939babb38605

SHA256
4c44c486ff8aa790cb792da34805b60761e15630f2f7934899803a1a899fb869

SHA512
bbd0497a7eeb66645655f66cce215b35785bd30c08cb571f923bea78f67582046bf84f45fc24b56bb88308d2958a3ebef7c2ff4e4248146a88cd63ff33fa5502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
8540a39892f3a24c2cd3dd5907dea0db

SHA1
191d740f0cd9823dc7c5557f4698e9e114a9f259

SHA256
841e71607f4f14f81174b0268759614ea065e32175d0d3c5540714840fdfdbd9

SHA512
d86030e0188f67cb82005460985462897b609d1a32f8fee534e3572dab386dde6be788f73ae1149d0515de1c82cc7e4b29fb368930d36b5c61feee542e3880a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58491a.TMP

Filesize
48B

MD5
5da8f5b5ec4482f1aa7cd88aac466c9c

SHA1
751c7f9cf9da2004f842e31ea11f1d02b3bc0157

SHA256
a87e88e2c5d87d22a41d17389c7bcd469cb9095c5f97cbf45f418a23e4819139

SHA512
d43eef1c2271e6d31afae22a0b3493a9a1fc94482a8a0832b5342506236b09cae934e4195922a6ffb219ed056afdc807b111ab994fdfaa1435ec5a5750934441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
afb26dde8aac1bc23fe6cd23f1691c1c

SHA1
e3ceca9fac3aada6e778a8e42e34ae834354837f

SHA256
6eb5aea0d335b3bb51ff6397143002aa25acd5509e283f73e5161d79329b292b

SHA512
ac249d81dc7ebb828ac1414cb62e1d876bd3f1097767594a9c2dfd1dba680969c4d61427cb4a64ca3b99e1c4a7b0ad562990911d894f5b90999429d667a2d0f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
01330b5d31fdbeae3654c549d5ad900f

SHA1
ede1ef2f264a733367821eeae79ca8cc50af9e5c

SHA256
384b0c721ba5d9624eb31fd06397d7a9f343db6443a6884f7ae517177bedd107

SHA512
3205feab91cc006c3a2980f05df46c40667e480c9d891883c4c80337699eb7fda222e4ea89901173d5c708409142fda1ee16713b1e9fb960efbacdea05ebf693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1c44e322881196b8278d6955e9457edf

SHA1
bcd3c62d00ac00ae6c8b79171efd66591c28e121

SHA256
83ee8dc79bb38a475acb16c583c7db563319d9b3b29a90e5cc25d16c65ddd9c1

SHA512
88e9d90d0e720dc890395733f5166adbd58e8267b00325177f1581cf37c98cc4a233b68f9c5a56d1bbc3812028e1b36f573a6f2da9bf79db4f4e97a72f1b23e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4524da02f5fd791e79159f2654e78d68

SHA1
615e78b1d891a63315e054b78f6dc38c71246daf

SHA256
7b5f8652e41bea5a9d20bedc60cd7bc020795442e65ec4327aa90b98af8300fa

SHA512
557e4cc5d2050ee76202a77ca8910f8d2a675ea35620adb63b0875c13fb1b0c52580a0432b263640fedbc311871920ba47b51ea50826b07286970a9058738e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
03a0cdda19e08db53e6f2ce43778da47

SHA1
274d8133cf7e649e1d38982dfec1aa4abfea36a7

SHA256
b57641119b1739f8c226737e9e89cb6351d91571ef061cca404aea14cb487be6

SHA512
9c37415d0cb70b7e139eda7caf81e22953f3bfa014e0965a82cc8af9f73e6adf6300cccf9cf25aabc0a70192d4bce30ed3a180978d0db33a05f3b623c2ed0d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584d8e.TMP

Filesize
537B

MD5
61c0c74d109073d7bdccff62ec6214e6

SHA1
66be52dd60513a43b399cc3ec049df6f5e1a30f4

SHA256
7c4a35803b34918cdf4e8e5aef7ab751cae67b93b4a43924ed8acfdbeb017f00

SHA512
2ab5f808d4e16214b6b080291927b73a96cff2f4cd1cb2a84242db0d3593fc53ce111dc51ff36325a461a0263d2fe7e443f1d583aec54736fc6916cad1931a0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f6149821-74a2-4a59-8577-3c0948337ebb.tmp

Filesize
4KB

MD5
e34058600b4005a07c00ed2b483cfbd4

SHA1
1fdb2feb1e0eb5c056d9e15778b8f57cb2c7754a

SHA256
42151504611e8304618d317d2112443584ad39b8fbe4237dba3658be5c9bc1f3

SHA512
d3a4cf2ae5cdb580e1fbb61f36957bdded8682c96173415df2eac0bbdfd9b4c087f2393a31ae4f075d1e68bb020632de87ce9c0a860995fdba4a376de71e57d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bfbdccfef86c4349958028dced3448be

SHA1
8f98b0302a254e05ea1c89b58279408d90472dc9

SHA256
2d2f8d3f00ddbf5db414e692e046925f77d266203cb651591897846425e43058

SHA512
024a43f49dd687cb3dfa004f7fd13b7026830b5ab3df0cbc46a9133df2f2eecedc0492e632aefdc689c3b9756836eeaeb5d377d1e9f5ed97fa30b8f0adae1bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2bd1b565f3212257244a7caa514cf7c5

SHA1
b5cf9e6e731916d49948203eac08581f97ab11e7

SHA256
729fd9a9a131285f591776b560c79e90751e4d7cf995e6b36a4f2715367b3632

SHA512
49b55b4aac3ecee95743af2b07f9405d4632207c1d3278a0dcb1c7264cb733838ffbbcdaf5d99df06ca66778a6b9f6311ca3522b4f0b7076f7def3426e35f301

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Loader.exe

Filesize
3.1MB

MD5
c85c392d4f402f6d1efe69a397874fc8

SHA1
d7bf20fc60a832f2c101fb47133fde314c164427

SHA256
e33a67ca41bd7f1dbe94489e953d2a6d720dccd5fb82d62353946a193be862eb

SHA512
605c12a4140fb1a18f76112040704c9c41a7b78b887324b12852400b56ab1c7e20d1587dfdc9ed62de1480eecaeb0e5b6f845157637aeecc429bdd60a068c971

Download Submit
memory/536-10-0x00007FFBA4F90000-0x00007FFBA5A51000-memory.dmp

Filesize
10.8MB

Download
memory/536-1-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/536-0-0x00007FFBA4F93000-0x00007FFBA4F95000-memory.dmp

Filesize
8KB

Download
memory/536-2-0x00007FFBA4F90000-0x00007FFBA5A51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-187-0x000000001E7E0000-0x000000001ED08000-memory.dmp

Filesize
5.2MB

Download
memory/2068-15-0x000000001C520000-0x000000001C55C000-memory.dmp

Filesize
240KB

Download
memory/2068-14-0x000000001C4C0000-0x000000001C4D2000-memory.dmp

Filesize
72KB

Download
memory/2068-16-0x00007FFBA4F90000-0x00007FFBA5A51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-13-0x000000001C560000-0x000000001C612000-memory.dmp

Filesize
712KB

Download
memory/2068-11-0x00007FFBA4F90000-0x00007FFBA5A51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-9-0x00007FFBA4F90000-0x00007FFBA5A51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-12-0x000000001C450000-0x000000001C4A0000-memory.dmp

Filesize
320KB

Download