quasar | hxxps://gofile[.]io/d/vRraKY

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
25-05-2024 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/vRraKY

Score

10^/10

quasar quasar spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

quasar

cr7stakewin-27924.portmap.host:27924

Mutex

b16a5a4a-0575-4e0e-8ddd-77ced9920af6

Attributes

encryption_key
72EAB2364235F953EB6EBC4967F5FAA96FD1EEE1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 781771.crdownload	family_quasar
behavioral1/memory/5236-165-0x0000000000F00000-0x0000000001224000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

solar.exeClient.exe

pid process

5236 solar.exe
5596 Client.exe

pid	process
5236	solar.exe
5596	Client.exe

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5712 schtasks.exe
5644 schtasks.exe

pid	process
5712	schtasks.exe
5644	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133611108634888109"	chrome.exe

Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 3 IoCs

Processes:

solar.exemsedge.exemsedge.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	solar.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 781771.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\solar.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exechrome.exemsedge.exe

pid	process
952	msedge.exe
952	msedge.exe
1340	msedge.exe
1340	msedge.exe
428	msedge.exe
428	msedge.exe
1040	identity_helper.exe
1040	identity_helper.exe
3064	msedge.exe
3064	msedge.exe
5560	chrome.exe
5560	chrome.exe
5820	msedge.exe
5820	msedge.exe
5820	msedge.exe
5820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exechrome.exe

pid	process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

solar.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	5236	solar.exe
Token: SeDebugPrivilege	5596	Client.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe
Token: SeShutdownPrivilege	5560	chrome.exe
Token: SeCreatePagefilePrivilege	5560	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exe

pid	process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe
5560	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MiniSearchHost.exeClient.exe

pid process

2204 MiniSearchHost.exe
5596 Client.exe

pid	process
2204	MiniSearchHost.exe
5596	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1340 wrote to memory of 5092	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 5092	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 4940	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 952	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 952	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe
PID 1340 wrote to memory of 3216	1340	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/vRraKY
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c29f3cb8,0x7ff9c29f3cc8,0x7ff9c29f3cd8
2⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
2⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:8
2⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
2⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
2⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
2⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
2⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
2⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
2⤵
PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3064

C:\Users\Admin\Downloads\solar.exe
"C:\Users\Admin\Downloads\solar.exe"
2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:5712

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5596

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12305161962576262800,10061034720709204524,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:648

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5296

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5556

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9aa7aab58,0x7ff9aa7aab68,0x7ff9aa7aab78
2⤵
PID:5568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:2
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:8
2⤵
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1884 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:8
2⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:1
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:1
2⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4268 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:1
2⤵
PID:752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3820 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:8
2⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:8
2⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:8
2⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:8
2⤵
PID:536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:8
2⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4536 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:1
2⤵
PID:5168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4868 --field-trial-handle=1784,i,3950059455213842769,16413456380964719989,131072 /prefetch:1
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0c286ff9-c1d7-4b1d-91df-db178e7b989e.tmp
Filesize
7KB

MD5
e4e400d0a1a2392c03ece32d563218af

SHA1
f3bc987b2dc78f0a9e0f1dc39afab895a280a9de

SHA256
42c978b3f518a2081a385a2fa2540a4e029e2d1b720aafb4321d35e3669fde15

SHA512
f12306653a48e31d9cd380436f68a75c072a08dc2c35e7bed457eb958b1000df178124cb84158dbd105b802d639032c3cf92463e723118e5362f7a031663a51a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
60fadd438b2ab594fc7771c3269e6d17

SHA1
67040acd307cce302aa8e1b7a14db2f99688406f

SHA256
b1b638388bcdfe92c69142d728436fced95277b359d870246d563f4c55c621a7

SHA512
4cac450396ea67d93f4e6d4363793dd29763ca7aa660be4d61f333f563a7838c10e7808fcdb303dc8122606c6453f87b42ee22fe4a20ca8bf107cca4fb2a4ce5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
92a075ce9e97834e06f4254018934323

SHA1
9a7be3f1dcfce2196f965416631047bb11643562

SHA256
f91c179398ba7b9973544a94c2de1261e9c34d9d86685bd815636e7a9e2d025e

SHA512
88aed416d219ccfd8a49367753e64696f4d6aeb7823c645f196f2d4e0dc0ef210996e7ec1b85ccb4b9e58d1e63e474c8cf5828f91976a50c41b37f52244f2938

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
12091aa90c56c1d89053ee959270f8a3

SHA1
131aba5daae36293f3ef7ac915c55f1e52718ca4

SHA256
f370119917152c67179bd3153626571038f74952804a763177484727d6a7dc2f

SHA512
acff295b71fb5928a27e16197eecd00c7fd580873553b445dacc87ecc167ee3974d0ba002df3d1f40c709c0e8100cf9d1e994712e2d7ce26888a0a03fa95e16a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
aad0d10699a08f6f78e00394934ce28e

SHA1
14b6c85b41ce19f679a2b85cc32cfc7f2116c970

SHA256
2bfccc98f31847970769e2ec327d7f7e0d52a17e24d473ed6d798c1024d91c14

SHA512
bcc99075e083582148382c3c629606bf27381624e07a35264abbbe409b355615c23999e0ff99d594bee26ea6096b2efe5eb1651447238b35bb7d57c594b5b8b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e394374505a00c33dcf3c55e6dbe0cff

SHA1
05fd92dbe1a473c6619456b7f6ec8f42a0fac2d4

SHA256
74b9bb277512eb3c09bc01baa583c296170fc1fb9ae608a014495bafbeddb439

SHA512
47fedc026f158683118e81f071980a7feab20a33e187ac4689b3af1df4c1dc70465eb80938233d510ab4d08ee0bd685c82d779e268a1677f7f7bc142559ea031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
8b42707da5da5e633fe94267bffab057

SHA1
de0c7282cced2bd7c8844a6ee1a4547af5c5964b

SHA256
e45d8acbc12f99f40e65cadb2a8e55cfc6015195fed169698f2fc9df610eff47

SHA512
80b1e081939ff703e6696faba8ca7724ccbba66c55fcce8090edb3114e99d735d3a66570998faaf641814eb98f400a7dc6fa880750981a454820c445d05e3db6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
4c21800135f38c9276e0e3582b08087f

SHA1
2597c124a192941afdfb351d3aa3fa88d18eb6b1

SHA256
26d2bfc8f9bac1662956a9c11dd508bd3b77529dc85702cce78002432bcde24c

SHA512
a80df5543c7621642005b4c03eff043220cce54fe6788b60fe7ded7d06dc5395d67e89635862a3412e0a5643d30a7c553d7942e4612b195a436bc9fa3e2884bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9faad3e004614b187287bed750e56acc

SHA1
eeea3627a208df5a8cf627b0d39561167d272ac5

SHA256
64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9

SHA512
a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7915c5c12c884cc2fa03af40f3d2e49d

SHA1
d48085f85761cde9c287b0b70a918c7ce8008629

SHA256
e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da

SHA512
4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
62928fa6a7d15ece7a44cb08e968a552

SHA1
42bac43e104868a6de6b9d537a466258f18aa12c

SHA256
2336a041e8ba93d3af0494348d2b556632b4d6ca06e70e1b4ea31ab4774e9ad5

SHA512
87f3ea614d25a367d1d0f2fa8d4b76cbe8c8e607127220c2fc32a07bf3c8217626baf0f2f3cab4d893d3ed3ab9d55143de5ab7688ba64b46341d2b368ae330bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d04cdafc61e4dc626692e44c0114557c

SHA1
f65cc2c5622b8efbe731f71ad7b0048981c9e774

SHA256
ec0f82db7e25e375775f3806faf1ac2014e92f1a537f353db19030397c7fe10a

SHA512
d17f343cc1e0542b9077fde2ed22248681b2cc071eee35ecddd2dde7c69cc4a4b4827a62788b3a858c9e9b42e2c7093a058940953eb0eeed8d34afb7beb3230a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
492b1d32f2180140efa5c712e89ff2d1

SHA1
4731a016ba88e75a140ec5d9ea8e071b2bf56fd1

SHA256
333fa28ad2ee6325109c845ebb9e539b68d2b6aeb25d429fb6fad58fbd517ce5

SHA512
d3a727739dc3a32338ba225ef8bb5e1e1df24992385e6f9bd663f87ed6bc5a6d6717e5a0f5fa753ee4c59cfe0af236d3a263eb120102c110bf5990a0b7639950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c4f032151392aed1c31c1f5ecce5e8b4

SHA1
8361315f54558d10a569e93e87898b673e786d69

SHA256
8100edee79395e8909edcd729920e6a2e981a95cc7f1dca0158ac21d7768cd6f

SHA512
5b88e8b6f5b5f2af345f9572c769ceb8b41d907e517c4418969e61ecf19a2feadef60b54e92a7727de9d4f127ab8a2f8b3db0db9e00beb178ca99390bc186b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2d8a1046f5574dc951abaa13579b562d

SHA1
baff96b44e0e307a5eb63b2aae19fcdb0c59a85d

SHA256
9138028c61b15fb6c563cbef5ad3e655d8ee1834bb4d0134297cb4c33e0d7b58

SHA512
afc24ed304658fc375ca4263cdc75f6763dd5f00523351624418fcabfc87e11ffc5bcbb9cd9859aecda4e7d343750386592f02c1fd5ad67445d4c76f552b90fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f647d0ee08cf31d172487f65c9ac5611

SHA1
5dad5cb1b522d7771af8b251ff0ac0081c831cf4

SHA256
81f27444770014c8b4065bb9b8f320f733cf463765321bd0f0ca09e29c95fa3a

SHA512
e2d2a464481f4858c6a43f65d3e2fb18c8d7d189c285a39dcdb3ab1c5486aadab29ec0284ddc7afd5aff5467bf54ad6a34ad169a605e24b6609fd926bd3184bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
043e8ee2b80077c5a6a595b9fdec063a

SHA1
4d3a469f70bacfc009117134a692f3d24f3e4126

SHA256
c2d0d925ad270ba287f20c051ee1a8a98dc4b2e60031f69f8eda55a005389bdc

SHA512
f3146b9f3549f9e227046c9891bdc2a6da5e3b0fbfaeb874b4bedae26b114b23a5150e596ce86ab76683e92496283271ead5cd8e588bc39e6bf48259adcdd0de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d6c692ad-737a-4f94-86c3-4bbdb936fc82.tmp
Filesize
11KB

MD5
132218baa0a874ab4a661fbe1abb0c33

SHA1
4933031ac3ca3ca72545defebc09065e8d1b7a7a

SHA256
5b9e893fd922ca4dc39c9b66de4e42b60d1ee56bd83ec4745c880fa39394ae03

SHA512
b31ba0d869d81ed731d3c65efab6b1fcf06b9218c379b68b8d76490bc1b00adc81b0debd3ab6128d7c433bb84f958ef66a205b4bc2cd795beeca01b4b7e707f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
bca013349ea9cbfeae8a6a2fcfc0a968

SHA1
e6e8031627dd6efee732345a879d37bb8f5bbb62

SHA256
72996bfeb0e86a9816bd2521deb29d43117b8ea2dd12e81e002222131a40b672

SHA512
6adc3a35c751ee3aec51ffc33c00113e5c795b7925ea31cd9f412b386a9e1fec54b89a665678ce891e6877f01f981aa5c1c19a24fc9ee8687e8b72a39b4478e1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 781771.crdownload
Filesize
3.1MB

MD5
ca558fea52e3ca7a1b61e0f69ac268b2

SHA1
2445d78506e19c17c99eca0744719c409c1e2c04

SHA256
a3773025a4ff7ba7e2ea475c8e5b2c74bd60f963ad9e27ae7ca0123fbb235976

SHA512
7d3e5cab72a6e7da4d2cc7fca940d58d0c0c82e1a3ee5dfce38317eb6eb6446bac82ed66bfc96c84e1c7917f1a00c1635640daa42ce09fa3ab27c5f213d73396

Download Submit
C:\Users\Admin\Downloads\solar.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_1340_GQPWJHVPMAXNFHBR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5236-165-0x0000000000F00000-0x0000000001224000-memory.dmp

Filesize
3.1MB

Download
memory/5596-228-0x000000001CDB0000-0x000000001D2D8000-memory.dmp

Filesize
5.2MB

Download
memory/5596-177-0x000000001C470000-0x000000001C522000-memory.dmp

Filesize
712KB

Download
memory/5596-176-0x000000001BC40000-0x000000001BC90000-memory.dmp

Filesize
320KB

Download