quasar | hxxps://drive[.]google[.]com/file/d/1kmtgbJkFvC4E6ku3ibDIShctphzZlGxc/view?usp=sharing

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2025, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1kmtgbJkFvC4E6ku3ibDIShctphzZlGxc/view?usp=sharing

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.101.5:4782

192.168.56.1:4782

Mutex

2f346f7b-7ef9-48a7-aad7-117c99e3b42c

Attributes

encryption_key
946B2201F7DE5D3B1BE0E7F90BF962776DDA4F12
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000242c0-436.dat	family_quasar
behavioral1/memory/5992-438-0x0000000000BB0000-0x0000000000ED4000-memory.dmp	family_quasar

Executes dropped EXE 6 IoCs

pid	Process
5992	Client-built.exe
3284	Client.exe
6132	Client-built.exe
5988	Client-built.exe
5476	Client-built.exe
3312	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
19	drive.google.com
20	drive.google.com
8	drive.google.com
9	drive.google.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_343152775\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_343152775\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_1496754411\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_1496754411\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_844940971\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_844940971\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_1496754411\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_844940971\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_343152775\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_997832728\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_997832728\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_1496754411\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_1496754411\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_844940971\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_844940971\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1080_997832728\manifest.fingerprint	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873180024932739"	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3446877943-4095308722-756223633-1000\{E97EAF17-5CFB-490C-83F3-98C16C5D1FD9}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
924	schtasks.exe
6128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5868	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	5340	7zG.exe
Token: 35	5340	7zG.exe
Token: SeSecurityPrivilege	5340	7zG.exe
Token: SeSecurityPrivilege	5340	7zG.exe
Token: SeDebugPrivilege	5992	Client-built.exe
Token: SeDebugPrivilege	3284	Client.exe
Token: SeDebugPrivilege	6132	Client-built.exe
Token: SeDebugPrivilege	5988	Client-built.exe
Token: SeDebugPrivilege	5476	Client-built.exe
Token: SeDebugPrivilege	3312	Client-built.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
5340	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5868	OpenWith.exe
5868	OpenWith.exe
5868	OpenWith.exe
3284	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 5540	1080	msedge.exe	86
PID 1080 wrote to memory of 5540	1080	msedge.exe	86
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 6092	1080	msedge.exe	88
PID 1080 wrote to memory of 6092	1080	msedge.exe	88
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 1608	1080	msedge.exe	87
PID 1080 wrote to memory of 4296	1080	msedge.exe	89
PID 1080 wrote to memory of 4296	1080	msedge.exe	89
PID 1080 wrote to memory of 4296	1080	msedge.exe	89
PID 1080 wrote to memory of 4296	1080	msedge.exe	89
PID 1080 wrote to memory of 4296	1080	msedge.exe	89
PID 1080 wrote to memory of 4296	1080	msedge.exe	89
PID 1080 wrote to memory of 4296	1080	msedge.exe	89
PID 1080 wrote to memory of 4296	1080	msedge.exe	89
PID 1080 wrote to memory of 4296	1080	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1kmtgbJkFvC4E6ku3ibDIShctphzZlGxc/view?usp=sharing
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2a4,0x7ffebdf1f208,0x7ffebdf1f214,0x7ffebdf1f220
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2220,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1904,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2548,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3448,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4844,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:2
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4784,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4772,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5324,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6056,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6056,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6148,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6280,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6628,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6552,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6276,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6716,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=7224 /prefetch:8
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6480,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7304,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=7360 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7324,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6952,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6016,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6860 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5600,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6380,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6908,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5076,i,9856761623230591131,4680206830861016290,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5868

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Client-built\" -spe -an -ai#7zMap20410:86:7zEvent15570
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5340

C:\Users\Admin\Downloads\Client-built\Client-built.exe
"C:\Users\Admin\Downloads\Client-built\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5992
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:924
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3284
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6128

C:\Users\Admin\Downloads\Client-built\Client-built.exe
"C:\Users\Admin\Downloads\Client-built\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6132

C:\Users\Admin\Downloads\Client-built\Client-built.exe
"C:\Users\Admin\Downloads\Client-built\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\Users\Admin\Downloads\Client-built\Client-built.exe
"C:\Users\Admin\Downloads\Client-built\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5476

C:\Users\Admin\Downloads\Client-built\Client-built.exe
"C:\Users\Admin\Downloads\Client-built\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping1080_1496754411\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1080_1496754411\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1080_844940971\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
7b0736a36bad51260e5db322736df2e9

SHA1
30af14ed09d3f769230d67f51e0adb955833673e

SHA256
0d2adfd06d505b9020c292d30597083d808bfd90ddc0fe173def5db96832a087

SHA512
caabdc6a8601b93f3c082e6506b3c9efe2242b90e92e86306dc0bd4857d33343ba395325fabb21f5db562d3e3932f52f77de547f379072d0154efd5f1b1cdeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9801937d66feb0c8d4cabb3904bc326b

SHA1
366eca2b037c32ec47d77e811f30a8f8d455629b

SHA256
663e44eeeb7e6985b66ef360c50344fed7ac4eec364fbe1ab490e351b1388058

SHA512
504cb8d1f900ec476e3dd4695b02eb3b96d682472931cb1c9e104071a35e41e8450e67e032801c3d7a354343790a6c120d93360623c1e7bc7c961470d9fea159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d9c6.TMP

Filesize
3KB

MD5
129bca47ce4e6d9862698abfff0b6de0

SHA1
daa33919277276e86bcc20b63dc3008a12c638dc

SHA256
756d1c9fb60f7945fa67c235bbf55512ce48abe6492aad14001702136fb38f95

SHA512
04f1cf7f58940e61330e4702d85c16d6e4b5814fc363adbb2cf416114efa3b0efdba9260bbaec1ee20d8183cef7527b78d0c1a176f02c82d75c6b202bd998e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
9cbdcb62650e232f73879467ef22617d

SHA1
c59bd4e4411cb14916ee0f745fc431ecc83c2ee8

SHA256
f7c2325324753e6d27f1d72f784a25c3377209282fafa67e4039b220e2b53608

SHA512
dc23db21fc47cb3b96e757fdec7942471067a7c589e355e0063f1d424eea6f7031e597adf39025ba91b5b869a54eb075379a4f934a222e869364ec084402a72c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
08e747be3cad4f3130fe3049dccdfaa9

SHA1
2ecd4ff2486042f0d77615bbcbe390558f20f82a

SHA256
d35592462636b240b92a88bebfc0dd61c7bac2a1ac3cbc4cda4003e8ac14dba1

SHA512
6b5d63daf683e8054f01601feb299f8e7653681bfcb638786a0628589f422c972b1b62243c0a4e723879b54c7323d06d44886c11bf088ef5c4d6d664dbebd3a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
97b7ee84b428336d88549b26fbb38459

SHA1
953ed660a6af05ae20a5c2e9b2b1bbd584fbe4b0

SHA256
ff92fd1e27013f35c2eeb033f22bafbf8916df026fd471f18bfb2d5eef214de3

SHA512
5755dfcef5b0b4fc117b4a67bb25ccf9b143c8c8a8594fd6ac85e98bc40cdc878422493352154e2a06b661f0b4304996fa3f774f403f718af5306c5aa772e63f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
f79ac6ef3489ee0961e57dc02718d9a6

SHA1
adb3742511612130ec626aa5a89cf4c974fe6dd4

SHA256
075184e7dc47772c6b62ebdcafc3c088ecbfe65157e13fac72abe00d6248f71b

SHA512
ecdc8fe8ce7e50783f54242faf084c4d848ac67fd3a9966663ddadd00b4f43af9e324eb2115cf91dabf37380e1368579bdd89ea149139446c8c6e712b245ec01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
bdab6b1e0442d3207950f2cddeeb11fa

SHA1
c13398f5dd854a6f10e427e9f3c7f73ca84977eb

SHA256
93426711ce47d104932c0884402812911c8bd46a8b4413e37ad92f952efaedaf

SHA512
cd4fae0d3204a9f69fd72afad4c33ee909930ef69bb6803873523580d8264c94542922a41daa5096daf67b5549c1bef592da834e8691904c4ddfbc5274864763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c5dde91a9b6ac5d8ddec05cb9858da05

SHA1
418747c22ab47a63bd0c3b6d61f47ab57be81d1f

SHA256
99871dd04c5a6a45588c9ea505064dd9b352c7bdab5ddde487cc12c6f69924c3

SHA512
449f45a937844c3fc40adf0ab9ba0a56c42899dafd8ce8980eaa22335a2d1a4c7fde7852551420f1c6bb03ad44a49417b3a5bbe3f0eaeea99c9e2b9d805fc13b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57bfd5.TMP

Filesize
48B

MD5
d55e4feb1b4eba83b65a3c267ba3beee

SHA1
b89340236c5c8cc1fa2c34910744276e21e13104

SHA256
989d69c41c5d0ac23fe2ef006c2568e417a0a9f8c09f11c2028ed9f82c0bf037

SHA512
21c8cfa400d1aaf308c606d8638a996c4227c8a346dbda539dfcd50c8cd8b17c9c92b3df6effc6310d39ae089a650e239ef2b119b73f0db7b8eb1b201f05cbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
47c63da653b15ba47e96097d89537109

SHA1
a39d3a96a663d0edf2db30a12bec495c6ae91a68

SHA256
25728972fdd06994c2d5dc0e78150757878131cd5cb98a0a1fb006a2cca31980

SHA512
69705a9af3c1bd29ff8dd119bda0ff8afa00a82ccf1d51690a29f380073f04c38ec43f18ad9393117ce94fbdbc1affcc86be26ce22f8c4ce594179bba45e1acb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
51663475d176a9eadaf10c5d15c199f7

SHA1
a881e79c55f1b9df35821ef001c037408dbdc2d6

SHA256
d9eabbcacf986cd8012bf4e98f4870cc6f8952b503a243c54a152be8df38410a

SHA512
7e652e34f572034c3861c32a8e22fd6cde1b02f950d604bc08ce8314a289ad803fc545d03beb8f6f2fb45f58c28bf6a4d5ec3c72457ec54a1b9402cb221754d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
658843f3e521a2e9a3ae6c52548d7736

SHA1
8ad51f0133ffb0f0adc9d7be85d4fa81d8b87b85

SHA256
180d71f1562e63361506377c169eff4d8e0043d072ac6f69d8118c82fd7b05a5

SHA512
2430a44a6dbdd95c7a37fa89be1725b24915c66a3586d01c34e0b73e81a8d39f39e8ac39a1ad4a52399f2034957b93bf68129cdbc456603049d435a64e6b4345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
f247ed1e2f0f3765cb4a9de71ee89369

SHA1
d9c6ab7952707b6318464ef40a423e9cfce3728f

SHA256
f5848a3a9e5bc7c42715d8663ac60164d269a1eecf9a2a293aaf694d46a6b5d5

SHA512
93b38ca6150d78e2b5954d73d74a6360cfcd54aad4ca9f68b2982393247fe8daa95333206eddd945b4dcb3f6020ca985180db17b3353fb2339d85b976a63c187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
86ce262a90b44f14e638f834e9ce1057

SHA1
598605084296b7aebcf4180bb6a89a0ab1d7c0b5

SHA256
3d1d4c03f585f16b688b139506054dfd275a6ceb6bbf86cdf148e3c6772e87b6

SHA512
04c41e29df047bd8cc5c45d3de9eed5f0026a4c5e8da32862a2604801d3e4aed2e935a6bb7fa278058055e90675e25081a69f404fea76e38594cd371dcf92655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a8499583fd05ffb37368acb1c79ea61d

SHA1
df953e92f560fbf01f4dbd09877c4aae969674c2

SHA256
15588e1d30693f214344eeb78a4113e1c14d208322b7c0dcad93a28c9bd6708e

SHA512
83ab4d6bd1950a27ca327cae883396272edb0abdb87052245786b41155f59940c47d4f971753075a6d544cd0fdd85ba85cc6ddb499bd5a4d929818c3bcfc0b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
575b8a825387571d681f6b6083790002

SHA1
b4a68e05ae0edb7ca58e430f77dfac688766cf46

SHA256
398cb7acb3cd727eb110d799a2a0da64ca444f044b5a8b5b7deb49755cc329b3

SHA512
8acc115c8097ab43a6c1b4554f86274c2eeb62f21f46baf79d3964a4852a65c708e41aa23c8b80396076c6e2f67c7fe38a9765e060ee9633105e1fa5df71e291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
ba00c29aff287a99ae3fb674e9da01d5

SHA1
cdbef5adda7f7d9232cf6c6d6d9147e1d398abd8

SHA256
57478cd6d6ef1ffc2d872db2bb933568d7c27b8894e190ff9480fe8c38a0bdcc

SHA512
0a1d10e13cecf3eac382207bc6abfbb9909d70655030aa630a3a4f578d894fd73b2c9d9f5352211a3cea181f4e5c389250ab2ca3659f050eadfe0526f0c5a3b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
b015c64303b15c73bcb8770ecbb0816e

SHA1
74fc81345c5178eb2cd5a22a5c33f79b9abdcb67

SHA256
2d499557c3fd8a3f89d84eb002e5ccc553137247165a283e1fd26d876c5b804f

SHA512
b3628a0f589ceddeb8d4aadd5e49d449e9a4d0d277ec6968ce215d1d3606e2eb378ccaec9e8df18668b26e4df098e67a352d614794a15644cd5a340f26423bea

Download Submit
C:\Users\Admin\Downloads\Client-built.rar.crdownload

Filesize
1.0MB

MD5
7fb3031b77d079cb0b31a0fef63353af

SHA1
76e7666b1396473b4b90db049ad8273f966169e2

SHA256
2dd2a4f4569abfad351830298d4dee251e9a04626894b9fc6ba02212903116e6

SHA512
b384b48dd1579217f3e602717a80b8d3603eb5510bdc4c4b5ab8a419658d9a1c325ea643b65c3a776fbaf45bff2f873e11ac898deebfca2b0ca2cb53ba53dd08

Download Submit
C:\Users\Admin\Downloads\Client-built\Client-built.exe

Filesize
3.1MB

MD5
712f0e904564f5a4fe3683cd197dee43

SHA1
68ca0c3db9b044254d11872af310b033124f2736

SHA256
f9284fd240b56d20a14e0e52f46375ac2d877e0b5759194d364024b597bbbca4

SHA512
63793e5e8e8f4b4bbb7af337e25da5110026ee1551d0f88aa08e1426a26c5db1937c8d78ef0fa52a38e5d90ca7f0d5ded1725abda14154fb7d10a7f164f6e7c5

Download Submit
memory/3284-451-0x00000000016B0000-0x0000000001700000-memory.dmp

Filesize
320KB

Download
memory/3284-452-0x000000001B860000-0x000000001B912000-memory.dmp

Filesize
712KB

Download
memory/5992-438-0x0000000000BB0000-0x0000000000ED4000-memory.dmp

Filesize
3.1MB

Download