quasar | hxxps://gofile[.]io/d/3dh18s

Resubmissions

04-12-2024 19:48

241204-yjczjaxrdw 10

04-12-2024 19:44

241204-yfvp6sxqcw 10

Analysis

max time kernel
142s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-12-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/3dh18s

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.48:4782

Mutex

33376e96-8fb8-4154-bd0a-fd0f58f69afe

Attributes

encryption_key
9DE7C466D5C89B4DCD53772026AFA9FDFA35108F
install_name
phantomX injector.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1348-154-0x0000000000950000-0x0000000000CAE000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002aab7-157.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4012	phantomX injector.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\phantomX injector.exe	phantomX loader.exe
File opened for modification	C:\Windows\system32\SubDir\phantomX injector.exe	phantomX loader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\phantomX.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1140	msedge.exe
1140	msedge.exe
2284	msedge.exe
2284	msedge.exe
1924	msedge.exe
1924	msedge.exe
3920	msedge.exe
3920	msedge.exe
1992	msedge.exe
1992	msedge.exe
560	msedge.exe
560	msedge.exe
4144	msedge.exe
4144	msedge.exe
4904	identity_helper.exe
4904	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	phantomX loader.exe
Token: SeDebugPrivilege	4012	phantomX injector.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
4012	phantomX injector.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
4012	phantomX injector.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 5036	2284	msedge.exe	77
PID 2284 wrote to memory of 5036	2284	msedge.exe	77
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 2052	2284	msedge.exe	78
PID 2284 wrote to memory of 1140	2284	msedge.exe	79
PID 2284 wrote to memory of 1140	2284	msedge.exe	79
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80
PID 2284 wrote to memory of 1156	2284	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/3dh18s
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d7083cb8,0x7ff8d7083cc8,0x7ff8d7083cd8
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,16603934853452364597,16706512400061953059,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,16603934853452364597,16706512400061953059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,16603934853452364597,16706512400061953059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16603934853452364597,16706512400061953059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16603934853452364597,16706512400061953059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16603934853452364597,16706512400061953059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,16603934853452364597,16706512400061953059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16603934853452364597,16706512400061953059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16603934853452364597,16706512400061953059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,16603934853452364597,16706512400061953059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4636

C:\Users\Admin\Downloads\phantomX\phantomX\phantomX loader.exe
"C:\Users\Admin\Downloads\phantomX\phantomX\phantomX loader.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1348
- C:\Windows\system32\SubDir\phantomX injector.exe
  "C:\Windows\system32\SubDir\phantomX injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d7083cb8,0x7ff8d7083cc8,0x7ff8d7083cd8
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11710771528921072291,13534904216451793259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:3200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3968

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2080

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:3892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
55598db3dc40b52ef5937f295fe3372a

SHA1
4ca25d612f4759ed48f166df42e42e0b9be44819

SHA256
780a259ce0e385d50d83d2335dae08af681fc49ef9b0f3f0727d5ca8ba992cc0

SHA512
8f6a05691a334351ea534671619606f244bdfa761b20f4c42f60fe8378b56d1155af0a612f3dfcfe9ebe96ee1edd97fcfb3062113eafa57e2d4349ea9a360c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
48c141b5192e85ddea9848bada89ef32

SHA1
5907bca1339c33a441cacb2c7336893f311c30e9

SHA256
3114b67fe7f220a0e67664c2762b0e4da8c3b254c8ef210bec7b763527cfb0ff

SHA512
d657fc5b56fde88693dcab296ac8dc35600ab55abadac529da6df93f0f11d02176eefec64e2d16680d8836052d4272ef1769d3d9ad1ded0844625f66eee23c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
80182fec9ed4cbfb11c767cf2f3c2f02

SHA1
cc3f059e1a32755c0af829e71e52711617379eec

SHA256
baaefd85974746dfd5dfa1394961905b84ed61c867d31014f35a911a59cec9c6

SHA512
ee55c892a2698ed5ae39c68ea64a0d7a8998a93cd699071c5d86b8dfedb7b646a756bbc1801d589bc4c2be5907108d81a9b32fcc41ecf97d747f1b003be51ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
2694a902e43284f7bea15ec5a57a9e6d

SHA1
80b5d6a1d037bd5909ab77035b598cabcde667f5

SHA256
1537aaaa1e372341b465841bdd07b1e11b86fe522ff7d789abd1ddccfec0ae3c

SHA512
77258f5345f69a4f58336e944251742c6ace603d8f1362e1eb642cca1df52556a8592a3e79fec14209696df723a43aee54107ec4166c0af8e91290315ffd593a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
db06d44068395709d7e4180276d25cbb

SHA1
b99047642697c884b945cbffcd781af9d98710c5

SHA256
450b9bf90c54e454cd778a7891053893742a09e55f94f09f479556e904bf968b

SHA512
a2a67c320c3bf9e9f44ae37dd3be5aeaf5022c3fa11cceb37f700a5b20774a11bc18e31303416a63384078cb38138217717d2be8779cbda5874c80a9bfc3d57d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
d797437e0016a6e1424fca636f222ee8

SHA1
aec4f9a9851e95110790d5dc2a1f101fcd843994

SHA256
8d61c16c1c6b21dd19bea2ae0a68735cfe580671c9d618e76e1a38e0d75df4ed

SHA512
6bb9363ef7cf73b20b2561f8eb0a0295528346e0133ac9a185a91176a23a7a23792b31ff91b7f4dbac3ab614dbcce70360de3b7fa35770819b9b195824b32c97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
cf86fc979571aa22554e43d699f93d42

SHA1
9d760039783ec659fea02ba15fcd901242b28f97

SHA256
92066a9f4a13e5722a0aad424640e279e75b3fa26e6694d9dcd455d6819eb51e

SHA512
a0c770fb5af34687cccd98346bc94b92313d135b1ef550083f27ece83344677d529585a55b1a139abbca70eddc690e78629e0c5743768d23946361680bcfda6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies-journal

Filesize
12KB

MD5
05f4adbdcc626e75d8961f0bdf4fa1b2

SHA1
a0e67ca7ebccd9e87a614045b88fdf02cdcde2b0

SHA256
55ec4f79f38450eb28daecc4d33e188175e0dfac638657c35a876d02d60f0306

SHA512
8fee3559f90c35d5ea60674df69a6e6d1bd793a95cd6c89361b67a06a143491e04d5c5df3c14191371fb6ed179c943194267f236af9f18ad49e1ebbe111223a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
85f258d73321f2e2d73af500398fb9b9

SHA1
43c3901ee32c8c1b55641100f936013355925eec

SHA256
e85b718c7647e253f524c115d29ef433fb190530d8f28ed43612a83870ae177c

SHA512
785fd94c959caf68c4e012c6fd2598ef74617477ca45d0648acc76c36e8ccdfd6459a66893be887723d3328492dd308bc229c3cc29ada4abdde89103c9c1a884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
ae898c57b2aedb91b54052595f66959c

SHA1
9273518009dbe65e0e7fc888362cefe667b07b3c

SHA256
036afb7b3df01a69c46415b062c969f7c7a59b1a36d0333f0602ca59de4536d0

SHA512
c2a826c1e1ed17c24b5f8394ed8223a6c96167e55857027f50a217a0fc9e3ceae999ddab2b522f36f9317ab55f7cfe07b234318fa68621cbb6cecd7eb44cc932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
a39c4258120fe53db255e367f3545b91

SHA1
0b623449191e8dea06431572229b914fd3bc1b7b

SHA256
3bfa1f6b7d79da39dee709a3bb8568b3239266abef109cb908007e908c77a6a7

SHA512
78eac1905867725d4e2164d70a7202d5b57ea9c3e4c33006407855f55e3e440a41f8bf6708d6ab1271323953c09d42f53fd07b192ebb37a77bd6cde62318e158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
630B

MD5
696b6b7895763d111e1ff80a7de676fb

SHA1
89ac5b6f347dbfa15d698f9bcf4429dc2e129aa5

SHA256
0135d7161b2336d6babd6611652d27ca2b07a1e2ceb8f5f117d9b6f0fc38dd4c

SHA512
b0721e73c70ce6634d4c7b21cb401f92832b383756c96f5afa9223c7cae05ebf1c368f75ad2981ea4ff090c9e666bb86da3886f3fd862a2681b1f512c7aa42b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
1KB

MD5
ccd642eb92629eefba71bba20de9597c

SHA1
d06eafcdbb97ad728a9509b365fe5c1d8957d8fb

SHA256
8daf0659c9dbad38cbb2dc650035b0369b5a661d738a4803d916de556159a6f9

SHA512
3e4d028843ee1ae11171aeb907b0d30cccc9f375b6966bdf0215695ec3b391f6cab7aeb524ddfea30a245dbbc7f3d56e8d8c3f5483607820645a2be88b11832b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
f5e9677f30ca035ec0297d4a89ae4727

SHA1
1a58366d2d48fc599de3a5971765741d0ae7afc8

SHA256
0a14ffaab1f73dd080174c084af1c15f2d97615252b47258548d8162b17da7ef

SHA512
fe7a5c07f94e0c81b98f77fffab9ff9cc576e41aa6f2c1206b42451379584be60c9e5d066f5b52f88567157e49f48750fa239282c7c77196070e8f32df95cbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
461B

MD5
1a2f5ab47878e3934f7a08582daae251

SHA1
38fa63042a15166f082a2bcc786329c8f8ff9a7c

SHA256
44b06e40fc9df792d33f59c12f8ad30b905d06ce46c1c609799fc3afa37880dd

SHA512
4bd77f0259e99ce348f02281c0178b2d3cc52c22e79050a618b72c020a2ac80c8436864934295e40202f6d774e320a9ec6910576569d9ea51ab79c4cbe8b0a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
7db3dfbd3824847e38299e19ed495db8

SHA1
fbb346a0b070d472e259af72e5e8452bcb8b5cf7

SHA256
0e7ef01600508d4133a35436c94acac7aca6b400da7e200cd857f4c7cf1d4aba

SHA512
748a46889be2bcac7080c21c63c954df22d8bac7cc40c5e69f1d017d9bb6b27900843853f51f4d18465cef196187e969406c89d11820cd80edb515ad6a1cadf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7429ef12c8e029b682f1848331194b5c

SHA1
47fed81c53ca459fb38f14df40f2278d9eaec887

SHA256
5c1cc19c955e4e239727d75f1cba7b41126e84833462fab8d08e0eaf83d0c44e

SHA512
19d7e359f3f27399d248fdb13148a44406a93fb0309331bb518ff20d6bb591d459d3d7f4a6c8734a4f545a2d6b97a368b5a0d2424a044e51c59588d865092b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12fb7101d855287c86b555400409b757

SHA1
b5765844c9fd48fd241023e58b48cb7619a85900

SHA256
cf743396e306e4d31c6df31e1aa45af12f3f63f36a80e28c427bb8cdb16d6451

SHA512
6e2a07f9c0de36ffaa2e7499f44169f75fc5568cfba4c6b0012d048c3724bfec438ca48e90cd09a7cd8bc1148b3606ae9a7b278a4ca2bf4b465ec64e8b6f2eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f35b6af4683aba7245b2ac4c3f1a5307

SHA1
8e0901ac9fefd389105bed1f8c3ac8587f3783ca

SHA256
f2e22faadc1318371ea51cb474d7182058627625df92b10039f4158aa338d8c1

SHA512
d883b5e15b4bbe0d6ddfc4fe98e682fdc6e8702857ba3e6b8252744fd1c87877888754edeb8a09fb59985947d718f15d016f61c42bfcdddd8315341835371f74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51a8ac56565e19ed0f24e63dbd9fb41a

SHA1
2afac2f06d78d68567c0f71205b9a47fd8969b9f

SHA256
a1ebce4486d1f59ae7e53e16c152feb6b916b0d26dc30a92cc91198cf02cf63a

SHA512
3d0bd2ac0ae10180be4a1bada3ac77323090b5a2f79ef749a0db70d13776b9d1ce3203ef68447e825ae84dbaf0e6c89b76125c88aca486845f198952e567a818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
326B

MD5
12593da66a45f2fd7abfcfd2635df14c

SHA1
9a0ec91abe2eda47e9976b66acf69e3e53ffe1bf

SHA256
4b9f9427d3c566bd57b45e226fbaac624241900847fcf36a727b4c3f10972ff6

SHA512
587fb1c656d8a6e791828acb1012d23dd598646cc04d372342105f1eb624a53b82b21b7dc3ef4f706dd1aa629c6f61d1d033eeac9ccf432eedef3ac0af5a02ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
d37c4faaaa882eb8d86b33145fe4e228

SHA1
dacd987ef9208e754346777f6fb0c79c5507c612

SHA256
adf1ea4229e124d21e531bdc799328d7f00c5cd83665ac8d4af8bddb9864317b

SHA512
51bf6d296b90076ae8b5348858b9f7e8acbf44b1588c14cd6d25bdff00260cb564e6a85242fe8a5dfe1e52f0441f7aaa7f4424c386fc7a8e4da7b0a741680b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13377815064124242

Filesize
2KB

MD5
51e6a9b24009e021005b24393c72b3e1

SHA1
49b99e45bab94f407754a471a835ec1d24475ec2

SHA256
74bc2f7be1b0bb42d07c42a181b0faef9067421ab2027d36a1b874cd23a7aa89

SHA512
11ab69a75b8bae930be26789b861aca5dcf31fa8a30b1d0e264caebf5d945b118e980776c7fd00be6b090f2261857c2a2eb895e6f619691608688996931cf78d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13377815064368242

Filesize
2KB

MD5
de390cd19815b5593275ee438359989d

SHA1
26b8a5a9a903b48bd1776455d0b38462b1445f2f

SHA256
09cf0c2dc6bace3a969cea056add41e0daa33656b0eae1fdf97e99c17d02a75e

SHA512
73a3b44e53f687ec06e836f786e835bba2f5235a578229660063d10d4d81a9eac70134e0af2327197282b6b6ab2c4e9e96dcd889a1c91b2f780571c316f4309e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
a514d7523ed7e8501b1b895060f369c1

SHA1
01b3f443e4d8fb787706e4eb223ea05d62300eff

SHA256
f0a6e0510947138ce5fbc07620b384b41cf20ff49057d69f058ab3920661fb90

SHA512
20ac4a867b3bc85f85a067c316b289ea90e1aface6c4b766a3fd0e92e130b40ab6997e21a5f7db39a63679184ee61b53eb17172b8a7d74e94f148763ef0ffdfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
224dddf276b8bf55a7ad17bc223efa63

SHA1
42c78e83e9c7b8a95490732174b87fa476d823f0

SHA256
a9254b3addda405b66a8d12b8d4b951ed3b68c019a51ed6d62d826eefd4a180f

SHA512
d98246448b4074ffd58ff212ca4a5fc12f458feb37b4db569ffddef61cbc6733aeccd281a73302360833b4f4cbdda140a8a02b2b7f92df545ee3d280239872e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
c5f68b4e6c954ff77d2b80957879d2a3

SHA1
7144c63f59461b7e864be74f9ad325d8df915c66

SHA256
7fa664726c2113c495e0e1bb59da0b17eb1b556fd1920fe7f2bdd0ec351f5797

SHA512
157e2b468978b5fdb6239f816a1ac77a2e1bd60090e87a748adaff5fb90af1d809d2e39c54dae77dc88312989a6b915ecfd2d822359c28eca634918383d0ec33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
e5dc5f80e025abf3b46b1bdded4d9d7c

SHA1
3f719fab5f52473032ec8c1d4a5c3b99b67cf7b9

SHA256
c6ec33fe25ba2f5a8cf4a2901d1916799b6cf588e7b81feb194e3dcdc6b6fc5a

SHA512
c28d755b4afe1a96c5873e5622113776729506172421dc6793fc53821684bddbe5b57b356a9a62605c7bdfd55827ab9d05d3615f46673582c27df881feefdb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
ec9dd9098606b87fcf41dec63df6f268

SHA1
8d6221c41cd9141225f387d2f1acc6aa7c5fb9d2

SHA256
c60150da2d1eb425854c97bfba51e4a88f2ffaa64e09eff7a103a209a8869e4c

SHA512
e6441474320cf27e23418facd9bf62ab4466e7202652a41626e86bca8b9b436d8d1eb01fa7b1dbc2f0cfe5774955d88c8a178534abba585fb22d97c58bf91c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
97ebe0c452e0998c7f3b4a8839a8b198

SHA1
b3489a0830f6fd722ce71febdb3304917ea46d34

SHA256
28bba7a8db049bcd914b771618ed03227ce357f23c0ad0f06eeb8b5b002d9d10

SHA512
9554cf0e8cceb71e29e94eafed07b3939e78fe5a5d2086fe3fbb62f5855a3b0173dae4e11e7a8258722376ed4bfd981c5cd22ce7dd0662482a1776d8b0954794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
6c042b59f361e209470324b399010dc3

SHA1
25acc2c84474c9f956d27cca67adac6b1de405a8

SHA256
206fd0ead394467d6317f40c5ac5e530c64c5bebeb9cd262f4e6cd1e7e039548

SHA512
54c3bf87f4fb733f8865194410b5f7d708fb50d85aea0c2e5258e377e830cbc261a1cc3f876b4cc0e6b91d70045caa633dc05c976b60af559e4b3abcaa2fc19f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
4395d514c5c9296059a57492d88ca0a6

SHA1
ac50aeeae5cba1cfc9be96f201c609335c0cccb4

SHA256
0f52ad7ea53777bda9299797970a11759a0fb19563c493a060d27594bd3fe89d

SHA512
a48d1da84abb1e714a506a343c9d5f4fdaa15444417b523e8d840d7a6fcabb0db4236aa30d439999fb37870b9ac04c77bfc6fee6df99614f1e2114f7ac52a0fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
18c186b5caf01854f4b897c0b4d229ba

SHA1
49be73436ace472d5e417187ff62555b60ff97e5

SHA256
6c89e420ad2c3bdefafb01967bca8d217aa5aaf0922559a6be30b612c2dcb0bc

SHA512
92a9de2b2eb8162d403f03cb5107eabf49bd662f737befed48105dae3d1ffc7d12e7a7fb949823ac375047f2d7a53d575bc808a61266955ba61f4e127b9fb1b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
659fdd9493695d3078a2f5966b06d857

SHA1
0f5b28cf207708cc9c8736df37f33e7fdb7de3d2

SHA256
24f2f6e32364abd5db6376c9ed1627b774f66d5a6370d8c22ca38ec4baff71c4

SHA512
a80a8bdc3cfdc3a22203ddeda3816459f2998efee716c3c8d69f739512e3254b2059d0afa503176eb67190863ce7ea6744e40cc5e2f26dc48969b28fb787850c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
834e7bd922ad597765d939b3688d671d

SHA1
0cc07140ce1a5f5327ad356d035010b88e1a45dd

SHA256
d684dce85867fb3501132fe898f4d168a1a9f193611a57b3e0581e66dff12ac4

SHA512
f69621a54bdfcce1bb91c5eae9890e45f210d66d4c1b956eb7d09662dd5f849cb62fb50babe3530f34d9b092bdc23c3d81f94a888e77db0dfdf3597823bcff1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
37615c63f3c5a220b0f78fefa00b5deb

SHA1
fe9048120d4c38951241fdeb014eb3075a533483

SHA256
957ade6efd2c9ec63da0341a3413e5a355b99858c029b893f64b480be6250919

SHA512
628454d9ed13415ebf7b3ab752002757ef8a204584f7c318404f72454311069204e940b3b9eeefabb443b80422b0a30c6fd0c65b07b208317c844ccf30788b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
17KB

MD5
01c531b6bbd06a2f0b438670f84804de

SHA1
a5095fbdd8112d83cff24536d6c769ba85300587

SHA256
28c2640e996c514e89ed0638447c3f58bd7a829290bf16d27d7960d2c1121efd

SHA512
61656b632ab006e389d8493ac008d3c670fb2f3a21cea44975c12a62f265f1c0de2ab4f516b302e298bba13dc9c5fc9841adb66f154c335416ce9b0cef89e118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
7e86d5c1bf2ff36b15bfbd8fcf748b16

SHA1
59a1515ddff8caec85c4f27ffb17b69a42ec6226

SHA256
82f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856

SHA512
943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
150d0d6909b0f7c0f2b625c40ff9d546

SHA1
3a57c65ac82b26fe002731c7c08250518fc0394e

SHA256
cacee1581ca9edd5b7d553ed541dfa79f0b0022529e0f7e01f005aae6cafaf60

SHA512
407c2d29d4180f5b64052c596307fc07dddb5eac1decd9d35cfafcbc9a199ab83c715a2ba12899be9de6378e0cb203248e1fc8d9b3d97b029dfc4d7d88cc966f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e5f6693f5529f6639087a2eaf658f231

SHA1
7c516eeb4b751af86690c46f4951af7a718f5ecf

SHA256
6ac12fe8e4df126e365c80173263c84dceb2a0eb4b203a3841050d5ce6b82767

SHA512
6f9b0d4417c1c210cbb3d046e281331c47dfce15979d24b6319456a245543572457ec8ee50bab1660e454e440fd4f9ecd2a8e659a2015f7345bef0b3147fe3a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
86ee5c2ea7956c23343ecadd736682d0

SHA1
6805c26bc33b576a99e8005df14e4da4540d7a75

SHA256
8919ef831c033f3254fd51c8907b41bb1b5026805135f721cf1362d99c002e23

SHA512
9cbc3883e76fb066653bf12bed7c7f3ef3d4d1757fe4968eada76fc0388ec0b026ec037d2004ce69ae2a5102e57fb85533ad3c89e9627077c1c1d65ad19ea305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
5219ac9cb060eafa0988f43ae549a98e

SHA1
f924d452a4121e0c808c1b756cabf43938109733

SHA256
64428d9fd613a9afaf525f4a38448804adb094f2e7ee2cdf6e15f8647cb58199

SHA512
beb8891ba27a77216351c2ac197662c0d9db4bb92d98b9a13e199f620c9ffba2b1efe9e34ffe5e1f97b35692fec0f19e3d16722a2dc8ed348c23330ce76eea3b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8a07ba93-108f-46ab-9216-d8c80d1f3a8c.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\phantomX.zip

Filesize
1.3MB

MD5
36cc79baeab6501bce29fba299de8555

SHA1
925e67ce801e3d06bb2b382918581509d5e566a5

SHA256
4b8d9f5af1205cc3dfd14a1953a229313074ffda5be6481f88c903eb1e7618b1

SHA512
589f50b98d5b89df49169c10a1ddc6e5dead1f6d9b9859f56d1ca0704432af6e7c66ac5c71f860443b762e26a2cccd559f70ab28ee758f909ed770ea69e91f7c

Download Submit
C:\Users\Admin\Downloads\phantomX.zip:Zone.Identifier

Filesize
155B

MD5
3951b66b9bdc2c5f303d5f984d6e4f0b

SHA1
fcb504330448ac1f967de397bea36b4e69408a2f

SHA256
f60bb51022576b5ac6a5e7dd083895f3ed28ccf91391746e62897d382f73ee80

SHA512
5cf921a181652eae7a01fdfd86227539dd6fcc68bf36bb9da2eeeefa7b5c395bb80d45796cca7472ee68627358e9b5aa62c81bd858bf29912f2bd8469cfca7e0

Download Submit
C:\Windows\System32\SubDir\phantomX injector.exe

Filesize
3.3MB

MD5
8ac22fce32688203c5857e972a48c47c

SHA1
6808d49fe912bfe43b2d4fb6456c7da51fff9f5a

SHA256
9a822779bda311ccef9b3d2f88a75ebeb2f5113d2b45d5ed7a0d25a35c3fd8e5

SHA512
968f1d55159e59b753583eb88627ca0d392f92a753154633f95ef598aca32fa1e134aa5b7d7c42007fbfcca1fa74f084a19f2856b5b341a7a205601e957aba34

Download Submit
memory/1348-153-0x00007FF8C1C53000-0x00007FF8C1C55000-memory.dmp

Filesize
8KB

Download
memory/1348-154-0x0000000000950000-0x0000000000CAE000-memory.dmp

Filesize
3.4MB

Download
memory/1348-155-0x00007FF8C1C50000-0x00007FF8C2712000-memory.dmp

Filesize
10.8MB

Download
memory/1348-161-0x00007FF8C1C50000-0x00007FF8C2712000-memory.dmp

Filesize
10.8MB

Download
memory/4012-162-0x000000001B940000-0x000000001B990000-memory.dmp

Filesize
320KB

Download
memory/4012-163-0x000000001BA50000-0x000000001BB02000-memory.dmp

Filesize
712KB

Download