Analysis
-
max time kernel
1112s -
max time network
1114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
20-05-2024 14:08
General
-
Target
httpsgofile.iodntQlho.txt
-
Size
26B
-
MD5
beb4937bff161601f6e59c168205d2da
-
SHA1
c26f4c5c7334eb6184d08adbacbb8fb6a8653ab4
-
SHA256
215d09d1793ed0f9da71484b97fb12b7d40b0fc0cb5f509e037ed721760c9d96
-
SHA512
16ab09407a5af59545ef8defb651b13572987bbcfb4fd87fef2de24d977ab3c6e8b7d83e83cb8247fae050724ecea880637b57b2dcc6164279207478b35f4eb5
Malware Config
Extracted
quasar
1.4.1
Office04
191.101.209.39:4782
f00c7ad6-aca4-4fa5-9b92-3a0bdaf90105
-
encryption_key
8F08986A76A43D6215CF6C495B5B1B45D9B0B3D1
-
install_name
Celex.exe
-
log_directory
Logs
-
reconnect_delay
2929
-
startup_key
Windows
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 5 IoCs
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\httpsgofile.iodntQlho.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff920c846f8,0x7ff920c84708,0x7ff920c847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5300 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5876 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6940 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7156 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2136,9766402365829443679,17821517506232936816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Celex.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Celex.exe"C:\Users\Admin\AppData\Roaming\SubDir\Celex.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Celex.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
69KB
MD5aac57f6f587f163486628b8860aa3637
SHA1b1b51e14672caae2361f0e2c54b72d1107cfce54
SHA2560cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486
SHA5120622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004Filesize
39KB
MD5395699fc7fc3283d3bade75dbffa446e
SHA1c9474c5a587fbd3a25c0992f1dfe7946e3b7abba
SHA256a184c8951b524d5a22d7bca69a0d775523e8c095d158f80ac4415d87d17acd1c
SHA51270749ca5fc0cc5b9b85d13ecde89ffffbc1af7b36a650be842ff303b0ed0ef49e8d9f3edb91324d42462446b882b2558abff235f42e300226e491432196ba8fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009Filesize
1.2MB
MD5153d9573f0f824b040ac13793d95e406
SHA1f8a73c205962012c4fa5b93ccbc77d7b1be3b5d8
SHA256c70c12b65715e837682baf0eea8ff99a7531d9036b0b5a9d640def85df92d016
SHA5125e0f64f8d333be4fff5b869952fe18f3189d6af97bfce10aad8acae96153b790108351083f1b80c40d76cebdca35e5d7e0f3371c588a02c74e6ea0055a3d2b20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
32KB
MD5bbc7e5859c0d0757b3b1b15e1b11929d
SHA159df2c56b3c79ac1de9b400ddf3c5a693fa76c2d
SHA256851c67fbabfda5b3151a6f73f283f7f0634cd1163719135a8de25c0518234fc2
SHA512f1fecb77f4cdfe7165cc1f2da042048fd94033ca4e648e50ebc4171c806c3c174666bb321c6dda53f2f175dc310ad2459e8f01778acaee6e7c7606497c0a1dea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000cFilesize
75KB
MD5cf989be758e8dab43e0a5bc0798c71e0
SHA197537516ffd3621ffdd0219ede2a0771a9d1e01d
SHA256beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615
SHA512f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025Filesize
40KB
MD53051c1e179d84292d3f84a1a0a112c80
SHA1c11a63236373abfe574f2935a0e7024688b71ccb
SHA256992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3
SHA512df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026Filesize
53KB
MD568f0a51fa86985999964ee43de12cdd5
SHA1bbfc7666be00c560b7394fa0b82b864237a99d8c
SHA256f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f
SHA5123049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD55de28d6c52a3a8877bd49a85e616e1bb
SHA15287b51f6f57173c509a91618508690ca5bfd3e4
SHA2568fbc978f46c43ca836097aa1df9e89f2d7ff007bc665a264c6ffcce2e3f7e67f
SHA5126804a52c56ebf3b7eb93c052a91c0324a9b83c12535198919ab4fe33a8f09ac4c915faabd8f888bb08513ec8933f5645f110d2eb12fcd44f248cc16ef6101ecc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD508616d08c1213b59ae1ea3da4eb14216
SHA1556dd78e09c784487b1862d29c025020ae901017
SHA256cad3e3268f6a0e8aea300d506cc21acaaa315b24e83cfe9fa863599696bb40f7
SHA512961bcdebd438f933fa532b5a245c5f84a16a8c7c71570d4d83e909019e2bf3bb1053ef22da8d7b68ec59380f87f4f09716a3cf122e4bf2bcd942a98686fbed48
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD582a71d769aa4940505238b7147389f33
SHA1740714531433051778fc0f9cbfc5e8d5312795a0
SHA2566c868a41120452c2dc793909e33479932eaf25fda4a0c1002785cc7518742bc7
SHA5126100464832b7abc4f260248e41f52ab3ca06ae7c776062b3bb35e3ff04280c32be3f091ca26b6efbbf7652303ca4bbba9f2d58e1f24abbe64d075dc12727b352
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
964B
MD589fae52b75139b1d40e7aacd73847b14
SHA16a39b9a1ef6ac137a02eb8d1a206be5ebc195b68
SHA25669ffcf40323923e23122eb30cda718ea7c6de73e14bc9ceb5fe7931886a15fc3
SHA5127cd7a3fce48392fa281e939331764ffe7d6d44efa28eb7696cdab30682142445172e5b1bc0e8f870d223ad9c74a9e7cc66bff2a04d1df8d3b704cd61167f00cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD566bb40756e17a517a985608ec103d783
SHA171302bb8bce9c72bbbfaa8b00789a33147402cfd
SHA2566a13dc0b13545e994520639501dc772dc15d4278987c38c5e2c1fb85ad710589
SHA512b408b5abfdd9fd815d3531d625625dea66d0d57db126d7f7708204e08d59cd2b292ef8a8dd95a18f40fd2399630233676fbb7c89e8750179b648e69b8580f186
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD52f1165dcf1fc83a6e9343f23b7fbaecb
SHA150909cd996311d222064c7d861c16dfd6324cb59
SHA256d4e05ab638b77297413bb6f264573d52590437bb4c7231ef738920209aaaa648
SHA5125a3a4e4c062dbde80f0939548eda302c7fab826edf125fc69739fc11a786ac61a86797aaf257c73f0d52761bf37c9bcf7f2ab17d9191575e11075a8b6c5ea29d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5727dad8b838c4cc11318ad0d6b4b5005
SHA1c0d84c598786186ef3cfa320dcd2b9067b73d51c
SHA256c31f1e68164789658e3b69661dfef9376dde7f91bd2b3716948cc4e481f2d914
SHA512a563daf5578fa2239f8733bdc9e2e1d730a552f926c54f3bad03586de222de5c9f0710ccdc3a5f4f7cbc93e8994dd22e4ca44625b7044a5f1074f2bc032b0da0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD55a97cf90c8d7c77543c63104f4bc4d52
SHA1606d01527e6afd467715b843d67280b713ddd7f9
SHA2562969536e42092add6f2671254b74f3f719b086a21dd24e3db4ccd4a21be46b15
SHA512397a9ffe8c6b029d7c5e49b739203eaee1528aced3f514b914bdb8c6df767bfaf29d52688d1461e6f62395ee0d8e6117bc1134a5057658990dcf1e433b543721
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD56d1dcb493f41fb966e0c7361f5de5075
SHA11a362237a9e2ad5f46d3ca880d2863e1765b7d81
SHA2560a0ae5664947a4747d7999b5609619afd91393263dea9c3cc092d17fa4cb3f74
SHA512c021a83e0a053e1c72018b4132f39c088d039be911902d6a668549a525c4c32fe91e0f5a732cca23899ec1135fde28bb5443c92030c9301f20b4a8629aeb3c54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e4a4fef8ef48c2c7dd591548935cb0aa
SHA15326ba366b0f6035268854f21fe44eb940088c0a
SHA2560f5f38337147ba4cdb34a66787bfdf09a6d5c7d18dc205862aa0859b053dc113
SHA5120e4b3b6db1461a159fae97dd4e7bce722c53be394aaef236d982f92e7c0de111a55cde915abc9209c1e3e61fef1ffdfedcc9462677ea3dd7ba22ce8194cd0378
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59131b4b58a8f0da13097ee22a0cb8b31
SHA148ddd3153811bf10de2f452797178364b36d9922
SHA256f4cecd7a8ca9db5cbf22853f6e369943ed4f204be176616ef64b56ee1b7ef793
SHA512adc33a4de0d61df4e14dce7c61a22bd398f5dab70e4657a99e000860691290e8c92b79e5faf2f09332eec345519f4fec7cc23c840a6a902abb72456fc645c12b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51bba07467d25d19707e974518722f7e7
SHA1c67034901a05900aed37da7a4a3ad6f7b5a6968c
SHA256e612325139000dbef11fc6620e592cc0e5e14eae2327661de6db4c9532d7d397
SHA512498ab3b2007143fd38c8a01cce706dd5254a2e77a2bf11b1290325b515d2127e21f0433be5e52bedb8b30b5c0c99eb3648ac220c869a0b1b7b203eebac9998ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c7db5a2fec86287e461c64dd4ef58b02
SHA1a244a559b699fac987a954e4ea8d348ce9e8fcb2
SHA256bbe2945d025b4b107b145c0640c51c5e7853dc636b54a66a21b1ff6d332d1ca4
SHA512a9e7bd9de29464d4bb98064795e00cc3c86569adf1eee1b05259193bee7cdc547a47391fcb23b559d0a30aa556e57b82da335342ede4ac412b2505474d5954d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD54506ddcdc5e89c46d291e0acf1780809
SHA1ae83615895a283e1f6c8d6c134206b20f2acf177
SHA25605331803603993a7b6e8bfd9997013f7a81d5d5a75aa28941fc45da56ad2c80c
SHA512cab162cb07730c6c85407968f4f8fe2fa0f1189169ace9ee4a4afd69d40f87a7f4d6ccfe769d78a59d297833a16ef7b2a88aa9b60e2fbf5e879d484dc1ac2e25
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e9b2f45c64b8e084236680a277e180bf
SHA18419be4fac4568ed70820960bb5242d33b47842e
SHA256711d83dc300f75439df042da2d7c28bb87e0f4927d7568275dbda0608f1e19c9
SHA512a292bad243975dead8ccafc6540b4465e3d79fe737db2a3eb892a609db6a0766f1d39bffc8b961a8928ffe86d80207e3124bf3eb5b450667baa793614961daf5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD59f5d389a6d18d0111e6194dffc7953db
SHA1dbedc0282e3c00ba0f9171e4524285e0c42b3b1a
SHA256e4744d12e4a25d162ca3902c2e7d680abc427561537530eb9ff9e7f71676b606
SHA512170b31ae4b51d030f0d53312e9dc380b447d2f6de7d83e3632e70a2dbb781d60303603a8a13e3ddb6984a1bb42c965f3374f138083e7165c2623448ad7fffd76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5fef2b24cd17c16a9ce990150268622ff
SHA19112e16a1c6d2107f0923dfe204ffd32ba002c46
SHA25675f552a145a777e980e6ee29dace02f9e8a386ab0ce22e47ce693716fa6c63df
SHA51291365f72886834ff64e64b986832b69ee0110b5997c350be3e6482d9b7f3076b2893757c597b963dd322162c8a86fcb32ef7cf0d174f7a8b6765a7c06c561977
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD54745b09ec038ac47883130dcfd158854
SHA1fa351e6b2608ac51450411ef2596fb814714de14
SHA2562acfffd580718fe63323737dc4c11170600f2445ecd18ed6d3942d9f8fe6d5ea
SHA51210e2580555eb7dbe39a380cb5fbca918afc9d796cd8b2e14c7d80504a70a358c593c0935c850fb8c54ae2bdd1c6419c48ae267c1e8b72d3c73a3d2dcd6319ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51c71d714d8c1c385e6e2e4eb4e04372b
SHA1fedd0c48af4cef5a72fca2c3e3fad2377e43b68e
SHA2562decdcee64b6043363944f5d32dd6a430326f32e06755b1b2af82795b89cd4a2
SHA512f08c16b7999cb64306811deabade433ecabfcc6d9065e2b4cb8ac216d2a48b10f9670e9c122be4d5d2a43a69f92e7f204104e7c3d83cda2b57b3f4fb9a7b0de0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5414826f97f192c7ba1543e926a717875
SHA14150e669e5dd079bed7e214a1eb16efe199507c0
SHA256234c93e2180e49ed5a257d4ded25dc0df36dbce3f1d1df0d9b7943e2992c7a41
SHA512ad0a8da4aee75ac4d08ac0be7f0bd0363d4c0de7b79eba34b4f2cbccf08175d2238eceafea9fe88355a8d4e8b84600393f0a80e034d726dbed3db1e25bfb0f83
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5bd6b16ccbfe59a1bcf710051ef588316
SHA1e09e825897422f3cb79d722c733335b25947d883
SHA256fdb32a3ec302a394149f810ceb00a0c97a84c450a5cb108123bdbe16e0ce022d
SHA512014d1094042c441cbdb0d4a9b6212f3bc058c4e2eb7570b6264b64bde4f7254900bb878fef6a3eeacc8ba4aabdf555c2a7c5e7651b139b1e1d9a23a8c925e248
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD58d5a92461180bb18d0ef7371aefb7a19
SHA1bb3d20e7bd26454a31d6c702c035fdf3b53fbdc8
SHA256bf5fad75b1cf0e080146fb468c6f5727e0114264c3bd0153074f83b56538149e
SHA512c3074028983117e150b7f3f958d48a574b56d17d28abc9136a346c010b259f45bb8c2d92e97674d0871538a68f48a4e988caaefcc77ce8e3993027386af7e859
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5cd5325f9582b1791c53093b950fcac80
SHA1ba4d0225b610efacbe4cc1d590d122db04c89d9b
SHA256bace8e748f9bd02e764cd4375fee14d39d89d8b337c5d55aa02f260e860c87d0
SHA5125eb0395ef5f18e0b4b849c3386f74f95fdaf83599fa9c38cf18c628ae50d9af8c478b43c0b3d45a78a993db879b54c8dce94fd63261215afee427825128d27da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d3b6.TMPFilesize
1KB
MD57070ffe81c892853280cd403f6f5407e
SHA131c8b6585af5a98f13be000d25c9851031d44cc9
SHA256259f4b34200aa70016fad54759c2c72309d5836ca88bd4d7463346cedfdfda7a
SHA512c9a48697610dc04897b6da03c298764d24b96f80eb8c4d8411f34c45080263ffefd98c32776622a97d504d5a4e76b672b5d2ea761305da1b1261819859241d64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD590146ef35ac58452c6378eb09e5ced8c
SHA1735c5f360e2222a56d6d868774778dca976e15a9
SHA256c9726e206331d93cd0a9b9d49fd84d0a3c28df669ba79316c15a659ff5efcea7
SHA5124d77258fed0623c948d0e53dd6256de5d2e72cf3f0c49effefe700f990cb0eff447a59aad142356ebe912bcfde65ea98bd6c458b8e3759e375ba7fc45d78a6c7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD569acffb23696a2908e3f8cd29814fff1
SHA13639cdea0bc20e47ec045139c1b88bb5076823ad
SHA256de16decfa249506ffb7f9877cb20a4f4755069ae18e4e7731f1396d246567762
SHA512b06b2bbe3ef67237cfaf98aa36acf8cf980e5dca2b9936798c6ac1d0ce0d6cf7cd4b1ee2d560708fd77af4bd354f404518ba9403c3938bee6879ef91bc589d02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5351a02d27fcc04f3c93f3cf35ca423eb
SHA1582886065d636b86076b8dad655cd06bb29eaff6
SHA2561cb07b31e92c58df9184fe4104896f49c1d3a683216ddc2e1858bd9ad06e1844
SHA512fb9721c86486b1c9a7d521f566afb38a1c35f0c26b5a7dbe04ac8025c770411360514f2da8f62255bc821c0f71e0b9fa7a2b66bdfb04b6753b06a82b6ed38019
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5ee517936fdf0d52abbc2f84322160eaf
SHA18f19ba7c3961c7b2e1dfa719b4c48452781a85fd
SHA2563e41139bd5a3e2ee183936a7169f2580b72a655fced5901d85e90f4a0e81d823
SHA512ccdaba3c5dd7c0848fd62866411ae8a8cdd6d0be006b10d2d5d7e5a07b5d8eac304290c5cd688bdc1f09b2e2da590d23baa6d8d87fac6f765d02c1dc2d076a78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD566d195f1fd07269fd638e1cc748b4031
SHA1d461bf4f6dde01e1f186b3b953e5d5e2acb92ef7
SHA256a03b305dcadaaf9c43f552c676a05fc3331da5386defd334f21bb10cc64943e5
SHA512af45b031acda53b994e00828c57822a2a57f943be7b1a4e64bd19b61dbfc757b5c1a9d53a3ad420cd99f43a97bde18692fcf8f332d05ec56b5083a09732b7d57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5f4ca6fcf0c972f418ab63a648e104fda
SHA128059f58903e2b8f77c0de95ee3041a29e590f4a
SHA2567e348cc69d6f2e1e35d649b25f3d2c569f1d81adffd81253558cd56c62b65938
SHA5128973932cfa2cab7038ee4d147fe744278135c2268250bc5ed85857fd4a1ce0a2c0c6ed66d57600c9bdfa2f3f36d7118dd6deca965cbe0dbc104e6799ad4f43bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1162180587-977231257-2194346871-1000\4cdd930c9826341d4381cd3e84eb0145_44d43ff8-91cd-4ca7-92c9-6495b4f546faFilesize
3KB
MD566c1a0cf05555ab70ac7e8705bb3819b
SHA1420473906aecbc1084b052a91c99213168c28af5
SHA256e5004e57ada8b8f61de5096b5546effa4afc4101a49240cc57bad1669cec94a3
SHA5129a19d77321be3311270b1e7c993b8818eb1c697c46102fdd9e26e666b599c9b5e89e539c169ae6b65a3a5b81dd654e17a80c0d96d0e0b69693332389b4716a77
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\Downloads\Quasar.v1.4.1.zipFilesize
3.3MB
MD513aa4bf4f5ed1ac503c69470b1ede5c1
SHA1c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA2564cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exeFilesize
3.1MB
MD5465f2d705345380462b213e6a245da4c
SHA1062faeb4399e6b6584ace1746f74c5c75e97df89
SHA256b1dff74974b70f6d45f9513877f25fcfb0a9ae41e3bb5bd1016bc1f3f5745182
SHA5123f75b1d95dec5cc64f8ffd1b195f7e32227db5741b79099a829a2ae7a678a877e6dc5c9ce5135649d75661b266063ecf701abca8eee38ca8914c7bc84cbe4d52
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exeFilesize
3.1MB
MD5fdb9c50e45fa955cdeced9a181d0ed58
SHA18f825544fa57516047535497f0c8e4633ade3167
SHA256299f0d9b8bdf7f64136a5ae652a5744be5a69e0650ab4ecc576148cd8200fb13
SHA5128a1e98e7a0b64bc0ff21ad978c789beab32e366bd32d92e73c78626f131468787c89504ac6e1c514ecb896a34b87d336e83b0d7576d3e7901d740153e9de3cd0
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Profiles\Default.xmlFilesize
1012B
MD5805c7dda328d1e411ec9d296a1679b1d
SHA1032245c597db5ef9439c4dc9db0e6c26a60815ad
SHA256a7fb50d5ac8ec0f5540eb6bbe500160aaeec4c7dfee98f5babdacd5754666537
SHA512e6d22f6afcfa43cb4139a7576da0f56f7f5a715588b66e830a5a7be7aa864895815232f4faa04989497a51a68e696362c195384cfa7dd19c45c5f7ed2aa56b93
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12Filesize
4KB
MD5c03486522b20d57c3b8abe2d6e57c1ea
SHA17ddab10ec3dd6f6498df13b864e0f4e91f73b3a4
SHA2562ed130e2dd8e4271d2d8d764db6418cdf23a47523c53d73eaa7d7c0a4fa03752
SHA5127d36ec2eff65c027182b468728c88ed6835f1068a85bde02fae2b08e5b8ab1cec243a515cf4d3bacc561253de4040900b8904968229b5ada5f6d7bd4782b8e18
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xmlFilesize
336B
MD58e3f7b698e563f793f7d5b0f1d08cfc5
SHA1adab806feb0133b9f243b009c39664fe03633135
SHA2564dfa85bf61caa163e7709b763a37eaca719500bd290f3571fd6fce748e626568
SHA512c291b96b818efad8297a5d6315e322ae21b25ca178a04c04c857f7f4edb7cdc09ccd602613decaa01df87b08533f3fa57f70a89f5be6d02cc1fbcf6230dbf22d
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xmlFilesize
373B
MD5b6af1da05c1a00991f04f8b898cea532
SHA124c48b062d8d864eefd32f2d84a36e1a7282e911
SHA256f2ef0d8f29904a65ce6dbe29baf9379fb4659afb6930a5af5d9fb88f73b73f41
SHA5122ab2de469911c3fee5b9bbfdbb373e5eb15023bf25b9e1835ebbf5890c66cfd7a06d7d5911e2fb630afadf9b30489e589634cefe52ca4c4156ae24b24c00c8aa
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xmlFilesize
372B
MD51817f52c2c01e3d564e25f986bfe55cc
SHA1bf7ae88e235c063aa38c9d2ae29c88ee0b4a2859
SHA256a1a4e3312292197002d76ce976e9ea860f70cb003b9f31f45d6acd32af011b33
SHA512d8f47313c5d3cd4562d77ca32f676ce1e9e83af21b33bb902365d0c6240babb909554e361a4b5b75175b09950971aa02f740717d424a44e1cbfd23d815014dae
-
\??\pipe\LOCAL\crashpad_2692_OPENDMTABERDWMFNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3608-648-0x00000285DDB30000-0x00000285DDC68000-memory.dmpFilesize
1.2MB
-
memory/3608-649-0x00000285DF930000-0x00000285DF946000-memory.dmpFilesize
88KB
-
memory/3608-650-0x00000285FB3D0000-0x00000285FB6FE000-memory.dmpFilesize
3.2MB
-
memory/3608-675-0x00000285F8E80000-0x00000285F8ECC000-memory.dmpFilesize
304KB
-
memory/3608-964-0x00000285FE890000-0x00000285FE8EE000-memory.dmpFilesize
376KB
-
memory/3608-965-0x00000285FD110000-0x00000285FD12A000-memory.dmpFilesize
104KB
-
memory/3608-672-0x00000285F8DC0000-0x00000285F8DD8000-memory.dmpFilesize
96KB
-
memory/3608-673-0x00000285F8E30000-0x00000285F8E80000-memory.dmpFilesize
320KB
-
memory/3608-674-0x00000285FA7C0000-0x00000285FA872000-memory.dmpFilesize
712KB
-
memory/5324-1766-0x0000000000E20000-0x0000000001144000-memory.dmpFilesize
3.1MB