quasar | 31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99

Analysis

max time kernel
147s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qauasariscrypted.exe
Size

6.4MB
MD5

eb0beafcb365cd20eb00ff9e19b73232
SHA1

1a4470109418e1110588d52851e320ecefcba7de
SHA256

31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99
SHA512

8dff151e81b5ce3c4f51b1f24a6e7654c3008d81b6652e6d2f7fabc42d341e9db703b12f83ccf9471514498af3c1763ef97f132ad36302de8ccd984fbf52d52f
SSDEEP

98304:DpgFmZKkYcZ4YSQrKF78eHm8Xdt6Zz55JJ9enfr:uFmZOcZtrKFFHm8t0NJJo

Score

10^/10

quasar office04 microsoft persistence phishing spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

185.196.10.233:4782

Mutex

b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6

Attributes

encryption_key
0EC03133971030F6D05E6D59F71626F6543BBE65
install_name
gfdgfdg.exe
log_directory
Logs
reconnect_delay
3000
startup_key
fgfdhdgg
subdirectory
gfgfgf

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3568-17-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qauasariscrypted = "\"C:\\Users\\Admin\\qauasariscrypted.exe\""	qauasariscrypted.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 3568	4428	qauasariscrypted.exe	101

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2320	powershell.exe
2320	powershell.exe
4760	msedge.exe
4760	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
5028	identity_helper.exe
5028	identity_helper.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe
5400	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 2320	4428	qauasariscrypted.exe	96
PID 4428 wrote to memory of 2320	4428	qauasariscrypted.exe	96
PID 4428 wrote to memory of 1936	4428	qauasariscrypted.exe	100
PID 4428 wrote to memory of 1936	4428	qauasariscrypted.exe	100
PID 4428 wrote to memory of 1936	4428	qauasariscrypted.exe	100
PID 4428 wrote to memory of 1936	4428	qauasariscrypted.exe	100
PID 4428 wrote to memory of 1936	4428	qauasariscrypted.exe	100
PID 4428 wrote to memory of 1936	4428	qauasariscrypted.exe	100
PID 4428 wrote to memory of 3568	4428	qauasariscrypted.exe	101
PID 4428 wrote to memory of 3568	4428	qauasariscrypted.exe	101
PID 4428 wrote to memory of 3568	4428	qauasariscrypted.exe	101
PID 4428 wrote to memory of 3568	4428	qauasariscrypted.exe	101
PID 4428 wrote to memory of 3568	4428	qauasariscrypted.exe	101
PID 4428 wrote to memory of 3568	4428	qauasariscrypted.exe	101
PID 4428 wrote to memory of 3568	4428	qauasariscrypted.exe	101
PID 4428 wrote to memory of 3568	4428	qauasariscrypted.exe	101
PID 3568 wrote to memory of 3396	3568	wab.exe	104
PID 3568 wrote to memory of 3396	3568	wab.exe	104
PID 3396 wrote to memory of 3168	3396	msedge.exe	105
PID 3396 wrote to memory of 3168	3396	msedge.exe	105
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4828	3396	msedge.exe	106
PID 3396 wrote to memory of 4760	3396	msedge.exe	107
PID 3396 wrote to memory of 4760	3396	msedge.exe	107
PID 3396 wrote to memory of 4824	3396	msedge.exe	108
PID 3396 wrote to memory of 4824	3396	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\qauasariscrypted.exe
"C:\Users\Admin\AppData\Local\Temp\qauasariscrypted.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1936
- C:\Program Files (x86)\Windows Mail\wab.exe
  "C:\Program Files (x86)\Windows Mail\wab.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wab.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffe8f8046f8,0x7ffe8f804708,0x7ffe8f804718
      4⤵
      PID:3168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
      4⤵
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      PID:4972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:4040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
      4⤵
      PID:1700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
      4⤵
      PID:4248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
      4⤵
      PID:3164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
      4⤵
      PID:4620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
      4⤵
      PID:3512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
      4⤵
      PID:3104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
      4⤵
      PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
      4⤵
      PID:5444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15032480616259871030,7887685782627165800,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5692 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wab.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:5284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8f8046f8,0x7ffe8f804708,0x7ffe8f804718
      4⤵
      PID:5296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b533661b945a612876de1e58ce73d065

SHA1
d93286945efeb7f33b49f8e594cdb264884c827e

SHA256
e5480b47432d7b0ca972afe477fac49f5fc1e8e82aaeab6401de99045949bd65

SHA512
672bc0f694e763a8597eebcce7728716a09515ad17854fae58d1f8df8aefca152eaabfd637bbaf8acae8e7936309809525a9f058a990148964a58c831d96dc4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f38951143ede15b2f00d3352e458d47

SHA1
1130065985230474657d5f744e99312f22c69485

SHA256
3a559763ad1634ef40108700025a909cc76ca8c66d6c77f41a07e2ced4c9ff65

SHA512
5376e21235d1b828a0d04e35d26154a1e52db3fe02690fa272ba982da55b88bb0ab7473e6b2031fe8d19798abefec072e22542132b175912b31279cda6f15f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
4bce5921984762329bb744cfa1429179

SHA1
5d47f551ee9c864d901a093b0a60b799482fc581

SHA256
c19f634df667b90c8fed6c69fe6d9604aeb3485f17c1b6d04c6b23f823cc28f0

SHA512
9160d23212db78660b5651aeb9e486f24b8b98e1f94f01d31f0092e3146d1519915896c92d02fdf5da7b1111bf01718cd0de81ad456ffa69aa7b487b4a477fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
481980699500167daad3b96339541e78

SHA1
d98798c174af6ab4304c9f3a6bf3f255bb628015

SHA256
95e1d5105c7ef512a4c529ab0c2700a4277be2c4abb0d69595df5fff5d3f89cf

SHA512
41aaab20cc52f88bcb2f89d4b1768e729ac480189aa3a47f4a0730fa3f65eb1a7e032f41245919adfebeee45fa2f8cfa61cede0e1fbcb403ec8851e995afd6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5507ba78323e4d2da98a64d858c94860

SHA1
fed9e90b9f1a09886b70d59f23e34fe67e331d47

SHA256
aa763844069cc8172a5124ad02a0a4a2e79d625a2e502744346cd812c3952790

SHA512
33a9233971c7c1ea1dc2dfac61bf049fceeec88e8e0c600a408fa3742da563475863ab023419eb8bf2e08ce9d9e725c82fcb110b71a6fad5e70d7d7342848e49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
88cc0733ffb04af5205737ff08afc322

SHA1
15d10f2d6681e160d972e2f48b33247fa561a2a9

SHA256
49773e99024721358e8bdf8208f6bca5d66245a9e76d6185bbd3c9ef7f719ba7

SHA512
ee39dc0d0264444523b0f8ad88e79b5a059df97fdf0aadc2c7dacd2c22a8094ca9c3cf477282ea8f83dfe342d07090f81307e2f2190032c2f85f34eab75bed62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
eba8517f3652641367e901d3a54f7581

SHA1
fea9f4fd8d38fa53f21cebbc148d48fb07fe13c6

SHA256
2d7c268095e786a3e6c729a4503a10709df851a8899197637e6d42aa11fce388

SHA512
da857ea24ab0a1f4e1eae0a23c1b50e86c5e4c5781f9cff94eaa20127671ed5b1ed681c9b626366f155ec89e767ca11554a77f0f4c3a42c44cf821654b483517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
369B

MD5
648517e88520da3a5adcbdbe18679aa7

SHA1
10dcb75afc9ee062b8ce0daa0ff889fecb1c2d9b

SHA256
c96f03ccb5755eaaf99a193ced3bbc577972b7e572ae73baeb52d7bef1c7f381

SHA512
f10638f00bc38d6b11ac582e09173ce78b24e4a3d8a89b2b3aede18062a1330d68e3e20e684ceb44225f49d72b02bb995e40b5835be5d6075254ff78a930dba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58abeb.TMP

Filesize
369B

MD5
a21e58a720dcb2d8109dd7477f0a44b4

SHA1
ca3c05ddc8cb8adc3e292607329ff7b15cc83f5f

SHA256
b0b1d750e3be7ffc050d2853c57ec3edefec768e5e97c0905212e4df7a1a6f14

SHA512
3d68e92c58241bfe6b533b72478abec5db8cbd359de051fd29711bd4bafeb257d816cd883cd750f21aeb997f699fb4ca97f4455ebf5d735d79a538a9903024e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
80671e48d6c9b81b5ce19ee1e74f178e

SHA1
97efe4410dc0c316372e418b485e5d4366d26e2d

SHA256
3ff8ad2ca0238dee15786ca51e220fec3db8bd388e1a2a0c03a81021ca4298b9

SHA512
0d0a847acf76a1b7c424f06e3e81a1049d854fdb3c2601893b70a86e676caada2e9a0675eee54084ec41d48bbf0ebab3d7591fe3b999e19fac424f367249dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_41t1bwor.wbr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2320-11-0x0000013B7C9A0000-0x0000013B7C9B0000-memory.dmp

Filesize
64KB

Download
memory/2320-12-0x0000013B7C9A0000-0x0000013B7C9B0000-memory.dmp

Filesize
64KB

Download
memory/2320-16-0x00007FFE8E1E0000-0x00007FFE8ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-10-0x00007FFE8E1E0000-0x00007FFE8ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-6-0x0000013B7F1C0000-0x0000013B7F1E2000-memory.dmp

Filesize
136KB

Download
memory/3568-17-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download