quasar | hxxps://github[.]com/Serpentiner4/DiscordNuker/blob/main/DCNuker[.]exe

Analysis

max time kernel
169s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2025, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Serpentiner4/DiscordNuker/blob/main/DCNuker.exe

Score

10^/10

quasar dcnuker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

DCNuker

172.20.240.1:4782

Mutex

5aef42ba-730f-4fd5-8e38-3b80e5c03c35

Attributes

encryption_key
AEF3998DA89E9CAD4DD20B71C925A29DFDCDA383
install_name
SecLoaderDecryptor.exe
log_directory
CrashDumps
reconnect_delay
3000
startup_key
Update Checker
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000242d2-465.dat	family_quasar
behavioral1/memory/3240-553-0x00000000002F0000-0x0000000000656000-memory.dmp	family_quasar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
88	1156	msedge.exe

Executes dropped EXE 2 IoCs

pid	Process
3240	DCNuker.exe
4700	SecLoaderDecryptor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
83	raw.githubusercontent.com
84	raw.githubusercontent.com
85	raw.githubusercontent.com
86	raw.githubusercontent.com
87	raw.githubusercontent.com
88	raw.githubusercontent.com

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1725045429\v1FieldTypes.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1725045429\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_2078659802\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_2078659802\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_67706678\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_2078659802\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_2078659802\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1073990498\deny_full_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1073990498\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1073990498\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1725045429\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1073990498\deny_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_67706678\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_67706678\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_2078659802\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1199407838\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1199407838\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1199407838\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1199407838\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1199407838\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1073990498\deny_etld1_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1725045429\autofill_bypass_cache_forms.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1725045429\edge_autofill_global_block_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping532_1725045429\regex_patterns.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895774456766683"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{9F7E99A0-FAE0-4BC4-81C6-93483E59EBBF}	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3604	schtasks.exe
5440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
876	msedge.exe
876	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	DCNuker.exe
Token: SeDebugPrivilege	4700	SecLoaderDecryptor.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4700	SecLoaderDecryptor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 5360	532	msedge.exe	86
PID 532 wrote to memory of 5360	532	msedge.exe	86
PID 532 wrote to memory of 1156	532	msedge.exe	89
PID 532 wrote to memory of 1156	532	msedge.exe	89
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4492	532	msedge.exe	90
PID 532 wrote to memory of 4464	532	msedge.exe	91
PID 532 wrote to memory of 4464	532	msedge.exe	91
PID 532 wrote to memory of 4464	532	msedge.exe	91
PID 532 wrote to memory of 4464	532	msedge.exe	91
PID 532 wrote to memory of 4464	532	msedge.exe	91
PID 532 wrote to memory of 4464	532	msedge.exe	91
PID 532 wrote to memory of 4464	532	msedge.exe	91
PID 532 wrote to memory of 4464	532	msedge.exe	91
PID 532 wrote to memory of 4464	532	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Serpentiner4/DiscordNuker/blob/main/DCNuker.exe
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2d8,0x7ffd6df3f208,0x7ffd6df3f214,0x7ffd6df3f220
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1952,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2252,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2580,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3536,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3524,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4820,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5056,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5528,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5780,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5780,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5864,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5816,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=5624,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5244,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5216,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:8
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5216,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3772,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=5484,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2740,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5340,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5832,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=1876 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=872,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3488,i,839673136552819173,11629895397462342285,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  PID:700

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:4348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:544

C:\Users\Admin\Downloads\DCNuker.exe
"C:\Users\Admin\Downloads\DCNuker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3240
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Update Checker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SecLoaderDecryptor.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3604
- C:\Users\Admin\AppData\Roaming\SubDir\SecLoaderDecryptor.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\SecLoaderDecryptor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4700
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Update Checker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SecLoaderDecryptor.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5440

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping532_1199407838\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping532_1199407838\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping532_1725045429\manifest.json

Filesize
119B

MD5
cb10c4ca2266e0cce5fefdcb2f0c1998

SHA1
8f5528079c05f4173978db7b596cc16f6b7592af

SHA256
82dff3cc4e595de91dc73802ac803c5d5e7ab33024bdc118f00a4431dd529713

SHA512
7c690c8d36227bb27183bacaf80a161b4084e5ad61759b559b19c2cdfb9c0814ad0030d42736285ee8e6132164d69f5becdcf83ac142a42879aa54a60c6d201b

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping532_2078659802\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping532_67706678\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping532_67706678\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.15\autofill_bypass_cache_forms.json

Filesize
175B

MD5
8060c129d08468ed3f3f3d09f13540ce

SHA1
f979419a76d5abfc89007d91f35412420aeae611

SHA256
b32bfdb89e35959aaf3e61ae58d0be1da94a12b6667e281c9567295efdd92f92

SHA512
99d0d9c816a680d7c0a28845aab7e8f33084688b1f3be4845f9cca596384b7a0811b9586c86ba9152de54cafcdea5871a6febbee1d5b3df6c778cdcb66f42cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.15\edge_autofill_global_block_list.json

Filesize
4KB

MD5
afb6f8315b244d03b262d28e1c5f6fae

SHA1
a92aaff896f4c07bdea5c5d0ab6fdb035e9ec71e

SHA256
a3bcb682dd63c048cd9ca88c49100333651b4f50de43b60ec681de5f8208d742

SHA512
d80e232da16f94a93cfe95339f0db4ff4f385e0aa2ba9cbd454e43666a915f8e730b615085b45cc7c029aa45803e5aca61b86e63dac0cf5f1128beed431f9df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.15\v1FieldTypes.json

Filesize
509KB

MD5
c1a0d30e5eebef19db1b7e68fc79d2be

SHA1
de4ccb9e7ea5850363d0e7124c01da766425039c

SHA256
f3232a4e83ffc6ee2447aba5a49b8fd7ba13bcfd82fa09ae744c44996f7fcdd1

SHA512
f0eafae0260783ea3e85fe34cc0f145db7f402949a2ae809d37578e49baf767ad408bf2e79e2275d04891cd1977e8a018d6eeb5b95e839083f3722a960ccb57a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
240176e3dcfb84b3513899f06f14696a

SHA1
260cac9ee633dd50be203428d72f8183ed7eb692

SHA256
4db3a5b8fcc84906f228b01476bffed79841057f8891785a301295888ff6f514

SHA512
4a39105f65b8317d67b1211eb4bcf5c91b5ed9d6c0f05214748b2465f7d320f30fb9448376b8c3cb6cf40a1807be10e4996a6aa6cdd3ed58f4814c1b99cdbdf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe579f0f.TMP

Filesize
3KB

MD5
d17413b38628f2ea917bee5d8f5c34b8

SHA1
db6c1f75c405b33cb8b950c4d196c16f5917e621

SHA256
a9fe4ef95beeb03bf2665037a5b67f4ee246590f06098f50a4514fc303376732

SHA512
3504df4b11b31e5a64fdcde7915ddec32b5155ace33bdadf4ae66b57042107c599ffc321d214b3a32fe375654ff8c3f100cbb821145b34df9729c0e1e8628ce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5f7ecf4d1079d4eafa11627ff7388c71

SHA1
97abb63cfb6fe663fb5cf27e7705b75110973b03

SHA256
66d1f39f51942afdf154b6cdefb8e33d15a3c09b21f853d0aa11f7bedfae9a43

SHA512
32d1983bb1d46bbeccf53f18e7655f463cd3c79e384579629b5ec7156bc3e67f256e93bcc1270d2120e7870cb4c3f6caf0cceb35010658288a548550e8381dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c0e30b31e8631614f93e893d996bf5bb

SHA1
fd3c546c3b23c4970aba977bde00abe3d633293d

SHA256
a64dc9b2fa409b9b8d3bd234844fff0796449997d5030a4aa01ec8c7b785c301

SHA512
7fa4980c4ca073066026f48b4e5d56aa7b9daac41bed07daf7548dc7f134a335d8576d9773cdcff0c8260f2777b1818755a77c2acf8e426325c9ae6520242c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
4a21eb71b0ea1215d8c2839cbb3967fd

SHA1
70be637fe1f3043c48019aa19e2c4c9e5d4b74cb

SHA256
4c96fcfb4dcb2306583431de0f280a75ff153a81415390d50a2994193805a0f5

SHA512
b5ebc7bf0ce868f3c7514ba8276d02165dc164276589186d017a9b00a5eedd359e9a39caee3972844788fef2791b9835050cf7d63cc05cee3c9532350fe22bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
dd578c0f18a1d2eda414761215030804

SHA1
e0f85683e2e068c45d175d9f2eee14f5c5b2a4dc

SHA256
71404f64d3554ebc4dcfd890a388693769971284eccd3be2aa72b36143516b1a

SHA512
b78e9d6f79c5cc109dec74e8a1bcb5c30fddf47e7dc84f75df5850cb8237c03f93bb9d3023412ef95c938f1f9c01b1f5d5992bb5ad06c3919c2052586d36494b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
ae125d8ab2771cd5fd60d301baf39985

SHA1
8b033baaf3745a08bfa734bb9c778af87cad9b26

SHA256
5b12049dc6cc9a6e24033e773c7e28b7fa931916ffe17f0a1cb8cef46c4ceae0

SHA512
df1a39579b84b706d21d580126cc6d4280ba6e2533928b06873f4c23f0fa45ec78b4e9dd7e1f774d5dd63ee29e153595b00f9dd35394888f0c86120c39d793e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
7fbfa308f40c19f14c7630f8e4cb5cc7

SHA1
7fddcb3baa3dc027b0f9f422d75b201d3b169d70

SHA256
c2627202c5fce5a6ff563d4dffee587135917ae88acb688d42a29eb087de2760

SHA512
a5e65fe94980112a94598bbff5d28571f867a578b8f466768dcd934d797c6ba7791936aae745b2ed5a0101589b303d8a002eb02dd68b52239a3460b82dded519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
f0191a7458fee363471e168862f7cadb

SHA1
0e5b192162c1ef3f19842af72e0f439b834c2069

SHA256
807321678b6209fc15ac148def3192e67f33119fc10e92397c657488d64bb5d8

SHA512
20bb77fac3cf1bb49ad7b07f032cd895cca87a8a623d6bfaff51958c31e1f3279f9ec89a45659a7d1917805a040744abe8e1c3d815cd7f96162e2c2a74e88c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\8dfd9030-6db0-48f4-9a01-47b1b365c5af.tmp

Filesize
465B

MD5
9b090da61ef0e506e51b2ba13b2d8a04

SHA1
9e6fb0bf2d40629438d72c3e61c4aae010b4b16f

SHA256
d940d6d16a126e7e2e26e08dc7bfd84eed288bef331c2dc000cd7283478e5de4

SHA512
4052a4e2fb3fac81768129bb0544f82db94f6c4d345c760896d2fe1f492528b428c131a83b63aebb981404acba0d1f005ff37aeddaa5f9c024fbeb1e95920d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
ef5f6ee3d9e71ae36c1d27499baaef15

SHA1
3afad60146ea3016a6ebda5bee7ecf3c47c6ca22

SHA256
0f7a0c323509759602fcbf3c62a79e96be8f880b5bf617d0216a6f5dde4ad4ae

SHA512
5a8a35d8fcf095cf4e7fb5974a9449c2610908f2b7bf6a541b1d97eb400c42e2552d2e8c7f5429015dcada1754cbd0885e9f502fdfcf08fa7fa93c593c9e3430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
3634b9cc24783cf0d82cf593d11d11cf

SHA1
509ff6cc76ab8f5b62ea63b19344a3df64cdfaa1

SHA256
f47432c5dd5445c0859669b7eb96021f72d42fe445a0160d0425e79ed7bc5ad6

SHA512
83200499906838057a74f183ae8c500b6e1f1a843bee98d9bb3486314bee1b4997fab6cd081627a721cebdcea2cae8f86fe3f13deb72ef5cdf2db6bd2b37f60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
16a28930bd42e364d6f15a63695ae005

SHA1
a0fb4bbcd07fa4a0038fb1ee44f5af326b12ef20

SHA256
6809bc059d7367197ae902035f2ba6930f62cb63aa850e6a350a6c80b54f5b20

SHA512
8467614678bf9788128d3577d3d44f207f7e5b195ac9c0e2873707b9105b6d85db8b4c528124cd80190463906549995fd2884ad59c2425b440c7dbe8f7193e88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
254f4adcf373f22fe809219ceea5538f

SHA1
c24b36f14286c6ec13e3be7b86c297323846a962

SHA256
ad42139254bae9a6429d64308360fc332f4a7a9d7cad7ec4ee30d7bdb573181a

SHA512
9ecebf747d8412b41d1832b38b853e881918adb42ef5ff324e39f24a699eaf8e8eda3548d9fd37a17eb12c5a074e806bc1321d05ec9067fb633f0b46891a00ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
9c0b3c379110d54f80fe894c393f20a1

SHA1
0ba13c01db03ab99fad21615de0a4ab7f06abd19

SHA256
59e709ff8dc356203826c264abab182b8ea56ca3d3d7f8079b28110717209c18

SHA512
3eaa5b68f29412e28dea853271ff98da4396ae24434dbff135da7f34511b48dfe0f4749fe04e43ad8897618d7b45cb942d2870aa13f070b009ef6d0a2c2e9ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
6cedb828acf181065f27fb60ee7ec942

SHA1
4a2fc16955f9e267662de280827d6a0251c9f574

SHA256
d486624191619a5b5d111cf00be2daff5971a155140897a7e30ed84b6e47cee2

SHA512
f1f6db3891d939d2e21009a8d90096e0bafcba1f86e507f903310f4aabaa5dd184b883ed1a8db7fa96b5dc0c26c7fe6e7c071d17227c3ee44c76cf3d8c41d7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
34233beb318a00c7cef13527def5d81d

SHA1
9eec583e809a8cee4a57812e1f50a6b93ce07433

SHA256
fd0590a8a452f419774130361efa223532a514797542993f5ce4da7f2c909c74

SHA512
1f51cc9fbcadbef7a693021f5ae5c654267afc9ccf3ce6b5650eba8be3957ae4a577274a7e3c33265675c6f4ceefc2facc7527938892a9a503e7008e2380fb21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
d37c6de3e8f3c351502ad82fac499dbb

SHA1
7ab54e703ba528c29fc1dae5805fb6e953124a98

SHA256
6bb427cffb6ff2108e14a9fa7585aac8d2eb658dc5d426af2f48663f7323ecb0

SHA512
142b7a1bbd7dd9a4a26e7e158cd2220768eaba72b6e09d469588811d8e3eacc5b66ea6ee963127c46c872496790adc8e8a0504693450901990fb6a79f42d3524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
0e60aeb231dd7f6fbe2809b904a1e070

SHA1
1d71229722305627d1f85f793c1d32c4721756e2

SHA256
ab84e966b06add90c6cb581f49e402cbfd151dded8f4c6a1b3218a13005e2d4f

SHA512
3e94d766e5a9af73e4d7e5bf55e7cf755503b750fdb62d6431b0f49153f0d582462534932af3960f02a471bb6ba8be460937805fcae34f6e6bae06b8bc426d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
72e1d280032c637c9c58bf5d893c97bb

SHA1
3315b5b90b25eca6adeb145d9024293ce5268025

SHA256
642a45e0636a3d631f1ab1a239cc7fe319a71b01f7d375211300027d1d1f5dca

SHA512
b90a0e36de8eb827a7673bedb5f5990eee7bccc82eb909772f27778986adb9c0e3b44f3dcc6851a61e2b67b806c35f9ec88320ab07059cf1ef107c4ab9e51812

Download Submit
C:\Users\Admin\Downloads\DCNuker.exe.crdownload

Filesize
3.4MB

MD5
10970d395848cdc23e4e3481cd177695

SHA1
f938c5e885c3ff9ba8db269a063e70118fa935c1

SHA256
29a109ec74db746e96904e3e49ec381dd7713489522f20b29f5b92c3af3d231c

SHA512
4aa50d793c64af16f7389bd0745cd27fecabcee229c330fcc56e2af2c4faa4038966feea7f4dea404e163130e64e5b3eb0b55cd5d65de06e10b89f4954696186

Download Submit
memory/3240-553-0x00000000002F0000-0x0000000000656000-memory.dmp

Filesize
3.4MB

Download
memory/4700-580-0x000000001BFA0000-0x000000001C052000-memory.dmp

Filesize
712KB

Download
memory/4700-579-0x000000001BE90000-0x000000001BEE0000-memory.dmp

Filesize
320KB

Download