quasar | b3c40f057551db10381b772c0bd45dce4f4ffc8eeba424a985f8716e595629e0

Analysis

max time kernel
220s
max time network
223s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-11-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hmm.exe
Size

3.1MB
MD5

ee9ed61568e4fce02ab542c67cfd1b2e
SHA1

4df048ac26de94335d7dd6401afb0e6c9c56779c
SHA256

b3c40f057551db10381b772c0bd45dce4f4ffc8eeba424a985f8716e595629e0
SHA512

83dd4d2263ce3e43e10ff79822208a66653cdcf0a84d46adca966348be6a9683e992a9f1abd82c95548cdbb02f3d1b0b8e6e4f7fff301c614fba517875c372d1
SSDEEP

49152:3vyI22SsaNYfdPBldt698dBcjHuHDLoG8O+THHB72eh2NT:3vf22SsaNYfdPBldt6+dBcjHuHPh

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4584-1-0x0000000000500000-0x0000000000824000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4228 Client.exe

pid	process
4228	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

Processes:

flow	ioc
156	raw.githubusercontent.com
147	camo.githubusercontent.com
153	camo.githubusercontent.com
154	camo.githubusercontent.com
155	camo.githubusercontent.com

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\17281038-99da-45a6-a2f2-3eefdc643844.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241116232911.pma	setup.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133762732391348985"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4044 schtasks.exe
3284 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exemsedge.exemsedge.exeidentity_helper.exe

pid process

2104 chrome.exe
2104 chrome.exe
3340 msedge.exe
3340 msedge.exe
960 msedge.exe
960 msedge.exe
2684 identity_helper.exe
2684 identity_helper.exe

pid	process
4044	schtasks.exe
3284	schtasks.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

hmm.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4584	hmm.exe
Token: SeDebugPrivilege	4228	Client.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4228 Client.exe

pid	process
4228	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hmm.exeClient.exechrome.exe

description	pid	process	target process
PID 4584 wrote to memory of 4044	4584	hmm.exe	schtasks.exe
PID 4584 wrote to memory of 4044	4584	hmm.exe	schtasks.exe
PID 4584 wrote to memory of 4228	4584	hmm.exe	Client.exe
PID 4584 wrote to memory of 4228	4584	hmm.exe	Client.exe
PID 4228 wrote to memory of 3284	4228	Client.exe	schtasks.exe
PID 4228 wrote to memory of 3284	4228	Client.exe	schtasks.exe
PID 2104 wrote to memory of 2852	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2852	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2932	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2748	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2748	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe
PID 2104 wrote to memory of 2196	2104	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\hmm.exe
"C:\Users\Admin\AppData\Local\Temp\hmm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4044
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffd49eacc40,0x7ffd49eacc4c,0x7ffd49eacc58
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,2984693739823935125,15857367171822013392,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,2984693739823935125,15857367171822013392,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2052 /prefetch:3
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,2984693739823935125,15857367171822013392,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,2984693739823935125,15857367171822013392,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,2984693739823935125,15857367171822013392,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3744,i,2984693739823935125,15857367171822013392,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,2984693739823935125,15857367171822013392,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,2984693739823935125,15857367171822013392,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5080,i,2984693739823935125,15857367171822013392,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\StepJoin.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffd615d46f8,0x7ffd615d4708,0x7ffd615d4718
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4348
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x7ff74d315460,0x7ff74d315470,0x7ff74d315480
    3⤵
    PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,830475271098465462,414217544989359324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5909b4a5-046d-4698-8712-2a605f96d10f.tmp

Filesize
8KB

MD5
07129721e60244ee075512e4e54ee2db

SHA1
7e7c4029b07e508b5349612c6ad342da5308ade4

SHA256
aec853b20edb8ca4bfc42d25227df6444dc1c5d850123ecbb8df7a450ec1dda6

SHA512
4bbc204fcec82ffba6091b6147bdf872ec03ff0ccd2445f1ede9a84a6f64bad1007bb5f62123229bf12095a572e7d62ebe00dc821ca1c135f525114993f0a06f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2d6f862b9b0d35d2f02638a37703eeec

SHA1
8ada419e940480b645dbd3324f9a4f59811c345c

SHA256
a98e6df08aaaa2063afaca8f2ab12e6deef02ebed9eda86b4cfe66ce3fd6d879

SHA512
0c3b56ea2c5fdebd693225bb266a01b93c995ad9c8ab5b29ddb848a3a4fa2ef20778c34827c5129670e3063f984743e29da2604ea07bffe2a1464cd46afcec4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6700c4e2e0b8d1784242791eeb2aafd5

SHA1
595807ae78968ec49fdbfeaf63d220e65cb2a8cb

SHA256
7e68ad4c1ae72a4b01974e0c83e84aaac8b78be521452c5939cddc236f91b02a

SHA512
f3b111ff9022773396f615df0f539121b8e900cf31eaeebae68e01c0a6ce6bf7e06e3e8fedfe7bc4e378c0aa389f59ec418e2758569af6fa71dcbb28ff693150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b7c64048a745ad4f925863b537bd96f9

SHA1
f09c0c3c3d60f62d30841feba7baa83dd94b2134

SHA256
a69f0f623252118b0867c14f457a87076f7c7c3e61c8ef7e237fa39d769d86ba

SHA512
40c9e27111a53bf605785aa5a4fe86f62bb3d35ef91b6adfdf303c100b7ec8c89574a92b5231b33704906148f73ac6f9ff5974e978274d72171429efe42b35be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f89e25e58091c199f78ab610b32873e7

SHA1
9d8a33c92a2b8dcd10f65df61684292b64965dfe

SHA256
c33c93155aa584992384042292de202d359f93ec282bd5986d373fc9e832afb3

SHA512
468f3147afd6b3856cc440fbc7cd706bb4d3c6f4089abf77241c0db278176d83a2723e0436c0e5e532a9f8ffb10003b3a098428af67dccd253410bdb458bc54e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
389850ef8c5856fb242ee3eb2d03773a

SHA1
c9c39dabb28fd2f9953542e36289ade36a4235e1

SHA256
9a515a96a25487b071a86a4179428fbf1d64493071c9cc76cdbe1adc3e5c490f

SHA512
52c3cdef7f5dba010ee7bdc438db0e4e860564a8bfcfa85459042498dbeddc20a954b5d6f58763b052dce5627634739b0f15e1b59149d165ad56dbf4a238e333

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
1b400774a7275b06a17c586a1429ddf0

SHA1
9150c7770d465576b43ffc2fde9b54a0824bd0f2

SHA256
4e8440423d8d961f1d08b29be3ed60ae9f77014658fd1d2baed5d8a8cc1cefdf

SHA512
6c427c37b7d86ae445937c6d4cd3c4db83976607886a08960ba96fee5cd45ca4c2fc20bfabad48594faee7973a7fe52dbe57f458c8878fd9948f5211f6263d42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9c0a01b8fa86d24496783ccb07fd5f2c

SHA1
a82b2642df41802c7182cc83e92231a5d2abc445

SHA256
6ae0a03ae35e3c93be56cb0ab9b7feaed6ffe566caedde7b79d1070bc7d70958

SHA512
a9a53f62c21e39e50aecc6b6f03a8aa2d134e440062e861387e224353f2299e214edea112c8681caf116d4df880a89be787b22f30baee7bd4dee88d31b62e342

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45fc54480b5429131b2f4a98974f1b39

SHA1
bfb3c6735577b74a198acac3ff685f24aa5bb9a2

SHA256
2137971c4f5902a84b9d664459e8c1a5850e4792c3370d61b4e48f639e7ef814

SHA512
68346d35c2a22b76321dd37eb4c15a20a765de0af096cf89fb4bebd611f00fee23d6877af6c810c736dadf02d9b1f1929e0eb9cb3b2176cad3d4a601c254f182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
04f24c1bd60c0c7c378152e86846f5f1

SHA1
64742cf9b799bc3cdd050f56d4f799c6c87cb31c

SHA256
0782d4530fade933be5827aa754a8eafdce15f18b0637d7f7cc07842fcf369d3

SHA512
088c6871a202f63c2b1506d5cc02462685e31384f470e6596c58efa6e82b9a046ddabd7921401bc4ad32a0ddb30a70390ee3828de557c7b12c67ecc568334a91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b8b9f7242cd3cf3ca71813313472bdd

SHA1
8f9c5006906965014e1e214bb7c66f45267bd061

SHA256
ffb77e0c6df832df463e2f66e0bb6e8fd70fc07b893b24dc7eb2a432230ec58a

SHA512
8e92eedc2dd87ca6b39670c6de3eae95f975441e64d0eca2628a6686d2f9fb1b5f216ed409052b0ef21f44acb7cd87366426c3201745b39be559fec12651b39c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5938d8d4c271a76263a081bf2cf63bb

SHA1
7d265b5ce0fa0dae7b7c62d3b262770ba8525d9e

SHA256
2ea8c2023eaf74696f3121fe83f7ded59287113a51eb0cd3eadaa5788fb7ebfd

SHA512
66c793cce579d2f22558833c0b93ee1c6cc0327e1ea2d20c1a9feb4a57ca5a65755bd8f8cc2ade293c62b305ef14158895edf90d883f449d309e019fd7177001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5663be545f5fe7ecbca2336fc25f0154

SHA1
f468282f78a0c901939213de99bfb3debefd3c49

SHA256
f0939db9fa6f63b4abba61f4e1fc97fba5ab3d0fe4bbb39f9d05046aba1f372d

SHA512
505fa300cc055504f0d89dea877c852a00dc15e4783f58b7e9819e6fb6dd28c3841ec2f06c8e002de8dadbbc47e3e6281f5fec2ce56159e6bff478a50ddd4093

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
df59ee1e03f34f95706dc6323c90aa19

SHA1
35115e67e34da2a240b68b82f2c53d2016b221d9

SHA256
f8ca3342c79aa00eec5e36c6a83258edec192718a530c7ddc280155b53b3edfa

SHA512
ebcd008f44908c93358704730b8932f5c325e69245bc86ffa69ea32fbd06d3d0f5a20783f8b9ae63162b2c153a204e1b6387015c40eb02a49eeba0ac9b4a3180

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
65a958ed1a4d68aba5b329e7d2edf0ca

SHA1
9e1a64d6c8a41b1b1468316d9cd325d6218702d5

SHA256
5915aca00c3c0f8529cd0c5bedfddfacda486f6e60b24826ab96d603b1ed066b

SHA512
ed7f3715af36f94d9c1984b0900a7ce7da877aa072e974b5eb8f4540faafccd45a05e446a852a06130ebc925aec82bdb765af098bbd6d847f025f73fd8a7eafa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
b4ed41ff270dd16e09d4f9550521d99d

SHA1
07f68bc8afc85586a4e03914fcb6abbbe10b050b

SHA256
40e339cfcefa0c6a7dc82f5ea8a83ab8e368d9403ac4d1049a60f717e9e8e38f

SHA512
aa6e1bb720370da95453aae3ec63a2f13be9d74af248edfcdb71ed7be3b6cbca0ea73018ac5af9cc4be3c370f79d8f3da47c613e5a81e6a1382fd7c35a7867e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
ed85350e1a33ef66ea42547a41dd4b7e

SHA1
16e8ce4d551f2a92f832cd86af8a57855a145b45

SHA256
d64e6331944716c87e09a4c139e923e6382878eb189f79a51c3afb7ccf195254

SHA512
322c034cac1b06bae906f61bdcb778a7e3c0bfa736069eef0867a1eb5b1755f96012dce299b448ebae574805d4855affd3985791da8f952fdaa10802916357b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5391bd7b113cd90892553d8e903382f

SHA1
2a164e328c5ce2fc41f3225c65ec7e88c8be68a5

SHA256
fd9710650fc6774ce452b01fb37799cd64d3cdc282ac693e918e38322349fe79

SHA512
41957bea3e09c2f69487592df334edc6e3e6de3ab71beb64d9b6d9ce015e02a801b4215344d5d99765abe8ab2396394ac4664fced9f871204453a79463cc7825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2905b2a304443857a2afa4fc0b12fa24

SHA1
6266f131d70f5555e996420f20fa99c425074ec3

SHA256
5298bdb27d48c2c2b5e67bdd435445ef5b06d9b36c11394705b413ff3d0f51f3

SHA512
df85de0c817350d8ca3346def1db8653aaee51705822b4c4484c97e7d31282a2936fa516d68c298dcbbb293b044aa7101b3de0c7852c26e98ac6c91415162b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
8533dfab98314223cf4f6bc425c89ed0

SHA1
0bdfeddafc858693268a36eb1b7e795069a10e43

SHA256
c04aeabc65fc2639f999fecaa239c3abdd198c525c45180a15ffc508f105e842

SHA512
c1d5abe27171097300793e5d78c6d86d2adaac46da0f050f950902a4c1cde899e71faeb4fbcd62bc9d9c4836f06358263b14904af41c2a2f7ebc1c058d1c2918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
096f8f4c6c847b3b2dc7cf7c8ad36131

SHA1
3cecf7199188ee9db015b2cddd2d1a3f2ff5eb0a

SHA256
4bf83212aaf8676f6ab3bcbdc6c26d773562d3369db1490673045a551fe1b4d5

SHA512
14b69698ac2552b49603d29cf24af8c6f1c8f45ce4dfaad6449c43c1825943b1de87d5924c9456f419df608c0f1eef36160b43feb0142cba976e1028b3df6892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8e8704566412bb17516ee99684d23f08

SHA1
52a782966c85fe77d41beb0c26f7a89bbe6f9454

SHA256
9a0d39c28ad674fd19522416d08a557b98968d27e4d5e5e4f23f880b2a41b5ab

SHA512
56f10c2eecf3ade48f2aa8227315857dea1bfc75a3e36502327cf87767f58efef0b0ca1ec5ab378ce5b02dd100a539554fd51e46d2a4939e0e4f6adaa45847ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
498acdab2f8e66fb4aacec40d86da4eb

SHA1
ec23d6997aff555bf191e28e19c1c49974924190

SHA256
d50749c3947932c3033870877eb81ec02205d99e70b5b81d5f1e65c58662b361

SHA512
58026059eccd10de0d32f9c9733c9813c5d6963320fef833db7f385d0be86a54440e2e06a99846317f85df278c9ebac8cc4579f21831c1524f9c46ee41579c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea907f1087b67aba7ce25aa903b74da5

SHA1
99b9ec0e6a490134845566ae5c4ac911e5203f0e

SHA256
2de0b47514c8337d23b2bfeff45ac48e3e1eaf5da26237242dde3bf16bfab216

SHA512
9b099252a022fa5f27b13c361a2d558146e8ed376ee62bc40b901c1e555002d584c73a215bb170b4e6bcccb619d26b0269e72e4e7cf40ddc27c548d3f21d39d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ad9709100fb43b77314ee7765b27828

SHA1
5cd0c406c08c9c1073b0c08169ccaffbd4ef6b98

SHA256
04b61824ffce6fdbae4e6a527ae58b85813226ee28fe4d631feb76b5f936a1a9

SHA512
fc55ee34b1107e298f2cfcb20dce42b5dbc98a7b68e72ed80a6ea594f66dff6f9e9cb70ad5ccbf5ad2171275f375abac1defd8dad4118afa280cd9c1d9f6a538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e122fc93c0ad25d45d09ba51a3e86421

SHA1
bb52a7be91075de9d85f4a4d7baeecc3167c871b

SHA256
a277c1c6fafd7a44b47d94e4bc3c0337a64a34d252e58722855aab09e6f52bee

SHA512
12787aebefd6a5e4584ec8747a78538f948a16b214bdf81302036ae89e2c4563027847236a4770c4f780a9ca0ed03f29b1577bfb6f11feffad85b7a625324bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f4e604951b63af21df4c8503c765dfc

SHA1
7ffe92fdd1618ef135e9b53039d07c52e09e4b35

SHA256
e620f7a4c3be01a47d1a52dca5318bfdc9757f690c1a41a840530e3910361bfc

SHA512
220b1636054d0c1a3ee74568fb49db39e01159dde42de7b0f08dc4d6bdfa1744fadc744e768793712f40f73cca1af6d5e8d91358f9b1f414065e4277686aa3f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f1bfd53efc1430df5ded05d1537fd4cf

SHA1
57fa78a70b74c233d9baf497b52f3e1f9f94e3cb

SHA256
43fb86e2953f7488ad2f60c7ebeeae93653ba5bc75e6ed5f63334362630e429c

SHA512
d1e908113f91896b8d188d4c1f96faa9f479767b8ea16bc9962fa19649c988c579420ea2328b8942f5bd68faed304b0c78816359ef813461736fc973b790a01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2238c71c228678dc6d51de8b396483c0

SHA1
e297b2f4cf355e88cc3205b6f2461439fda502c5

SHA256
76c4922cbd3ebe9077e14d28b87f0757a65981d8c8c00fdfdfb59dceb2863f26

SHA512
bf6ebd0600626fbd5461d4a3148f56dc67bcd2f7792207679f2645c39b7dc09c8161b67ba1476d1d199303489f748f807802401f949962b459adb90a32833418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a7243.TMP

Filesize
536B

MD5
629a016441c11b217650323defbe9d2b

SHA1
5b0cd509e12b36eea6727247d90924452fa7e6cb

SHA256
6e8f363a735173682acabd12db88e36b6e062568e126d48cc5be1c2ea86e4287

SHA512
11121148e3ac6f5aa54de01b35f9c12905a102b0ac5628e89d5150d4399559092e078c26370f14dd7bfe62c410cec21b2af253e14955ca986514369c969c15aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7d9ac0f54002e318a27e60e62eac46e0

SHA1
5eafbf4bb3327456afb911e8e3f8c39a2e89eb79

SHA256
253a197a3c654f6cee7c0ded287cb036c7df1d7400de8b0066a9b69cd47c2aaf

SHA512
0276b5b68a57e431c766d2dbb305ceea048e331f60ebcf335a76d70600c4d3cb6078c1d3807e2be86d72c58e8dea34a9afd06234bc139e8245e533156722c20e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
e7216cf6e342616abde4eb727efd2fa3

SHA1
670c5a1c9f12a9b90c0ea6a56389080fa32c9934

SHA256
d85f5eb3b7685c9aa1d36acb9e14692880b10c4c35708e2f5ef06c8d8f94e895

SHA512
05ca0ad60d53d64560a3b241a7b7853a732c2c839f155da383ecda3a0acabae373dad39d6c2a2626780527aaa42d4a79968c48dab01f7a7fda9d23dfc83e540b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
896412dafed0add115e5e0132bb660f8

SHA1
a60c615a3eca17d3f66f04e4bd990f4037c52f94

SHA256
368083956a419d9dcbf972be222bc3f1f03db79075fef9abf767d41f081e3dae

SHA512
29bef0f2c6bf6f2e71f0571bb433a411c87cc2ec59e588d37bdfa588ace18ed28c3de2b7fede4471c258b53f902fd27478ae0073956bf5c9fcb99c44d75adc15

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
ee9ed61568e4fce02ab542c67cfd1b2e

SHA1
4df048ac26de94335d7dd6401afb0e6c9c56779c

SHA256
b3c40f057551db10381b772c0bd45dce4f4ffc8eeba424a985f8716e595629e0

SHA512
83dd4d2263ce3e43e10ff79822208a66653cdcf0a84d46adca966348be6a9683e992a9f1abd82c95548cdbb02f3d1b0b8e6e4f7fff301c614fba517875c372d1

Download Submit
\??\pipe\crashpad_2104_XCPEQMPTEURFCLAH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4228-8-0x000000001CE00000-0x000000001CE50000-memory.dmp

Filesize
320KB

Download
memory/4228-7-0x00007FFD52E30000-0x00007FFD538F2000-memory.dmp

Filesize
10.8MB

Download
memory/4228-9-0x000000001CF10000-0x000000001CFC2000-memory.dmp

Filesize
712KB

Download
memory/4228-118-0x000000001EDF0000-0x000000001F318000-memory.dmp

Filesize
5.2MB

Download
memory/4228-13-0x000000001CEB0000-0x000000001CEC2000-memory.dmp

Filesize
72KB

Download
memory/4228-14-0x000000001DC10000-0x000000001DC4C000-memory.dmp

Filesize
240KB

Download
memory/4228-10-0x00007FFD52E30000-0x00007FFD538F2000-memory.dmp

Filesize
10.8MB

Download
memory/4228-5-0x00007FFD52E30000-0x00007FFD538F2000-memory.dmp

Filesize
10.8MB

Download
memory/4584-6-0x00007FFD52E30000-0x00007FFD538F2000-memory.dmp

Filesize
10.8MB

Download
memory/4584-0-0x00007FFD52E33000-0x00007FFD52E35000-memory.dmp

Filesize
8KB

Download
memory/4584-2-0x00007FFD52E30000-0x00007FFD538F2000-memory.dmp

Filesize
10.8MB

Download
memory/4584-1-0x0000000000500000-0x0000000000824000-memory.dmp

Filesize
3.1MB

Download