quasar | hxxps://gofile[.]io/d/PO790L

Analysis

max time kernel
40s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/PO790L

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

Mutex

1f65a787-81b8-4955-95e4-b7751e10cd50

Attributes

encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
install_name
Neverlose Loader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023c51-63.dat	family_quasar
behavioral1/memory/1512-196-0x0000000000920000-0x00000000009A4000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1512	Neverlose Loader.exe
1384	Neverlose Loader.exe
1996	Neverlose Loader.exe
3120	Neverlose Loader.exe
3052	Neverlose Loader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 504816.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe\:SmartScreen:$DATA	Neverlose Loader.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe\:SmartScreen:$DATA	Neverlose Loader.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1060	schtasks.exe
3884	schtasks.exe
4836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4392	msedge.exe
4392	msedge.exe
1476	identity_helper.exe
1476	identity_helper.exe
3584	msedge.exe
3584	msedge.exe
1384	Neverlose Loader.exe
1384	Neverlose Loader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	Neverlose Loader.exe
Token: SeDebugPrivilege	1384	Neverlose Loader.exe
Token: SeDebugPrivilege	1996	Neverlose Loader.exe
Token: SeDebugPrivilege	3120	Neverlose Loader.exe
Token: SeDebugPrivilege	3052	Neverlose Loader.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3052	Neverlose Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 3868	4392	msedge.exe	85
PID 4392 wrote to memory of 3868	4392	msedge.exe	85
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 872	4392	msedge.exe	86
PID 4392 wrote to memory of 4924	4392	msedge.exe	87
PID 4392 wrote to memory of 4924	4392	msedge.exe	87
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88
PID 4392 wrote to memory of 2620	4392	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/PO790L
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe9e246f8,0x7fffe9e24708,0x7fffe9e24718
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,634024266991611367,17249122236904472614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4372

C:\Users\Admin\Desktop\Neverlose Loader.exe
"C:\Users\Admin\Desktop\Neverlose Loader.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:1512
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Neverlose Loader.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4836
- C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1996

C:\Users\Admin\Desktop\Neverlose Loader.exe
"C:\Users\Admin\Desktop\Neverlose Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\Desktop\Neverlose Loader.exe
"C:\Users\Admin\Desktop\Neverlose Loader.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:3120
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Neverlose Loader.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1060
- C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3052
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Neverlose Loader.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Neverlose Loader.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
f4f07100f7ee08309839bbf171b99820

SHA1
c003750d82baf3b7d4d174cab8eb651c2483faa5

SHA256
3ca739144cf26593fabc8b34c9f7bf0427a7fd98edcadc6c1944a6898e310591

SHA512
6132fb91eede6a2a8783a058c9631af15441f423d1d18c458e087a43b8e9092932633c5e48f28bf817470b4ef293e27671fc96558ee44ce14696150f6a5d380d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
381fba617977ce1a959b3bced20fd06e

SHA1
9b5e306c2323c7a8fe2bac27844bb5355c953077

SHA256
17042af08022e517702bcce064f7358c80a55421ab1c5172c08da567439c6f39

SHA512
8ec8f29e3b3590f3ab71a487c3529cad4562ea412c34bd4fdb97d6d88395826cc853c802039f99adeb6fb1756ec484d4e4a7c9db23f98b09609fb58a95eb6620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a8b9901e0e427c5ccc3c03513e18870

SHA1
813bb6e119f2b6cf7693f6a79f41d38c8ddb6464

SHA256
d5a460d3b10ff8da22db08ba69ecc4c3c0d9539660a1b5d383364e8777925da3

SHA512
559c7e31af030a34d4d7d3216aa562b1c944b4f8bbd45e8d3ec829191d2abd849f7ba56ac45b7ef62bdddc54a92c20573cebc9dca73e0e2bc0f15b1b34d6406d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c26103b42419da7c36daf297e2f93f7b

SHA1
536dc94fa07526fb3bed02bc5193a35b8d20485f

SHA256
4ae7d6463004427cd0b67d3e4fbbbd1b40be33dfe9a996923682f456583dec63

SHA512
7f55ba30b848bd5eb215929728c2ef943cffd9606fb7208c14278be0c2e79a7a7095d220d280218cff5e42bdaf52568b3da1f2dbfeeda9d7699f1370cc1a70c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5f45fb520fdedf78c6484324e124fe4c

SHA1
6a200b605504de60c736c065eeb0325a0a817b08

SHA256
88293035ea385ae0d39520d892480eda7c531eeb22e0672026d048c23e6342d9

SHA512
74675a822e843f1669f26937987df9658cff3159af6e93f56e7c8e488395a93e59acfd955ad42ceeedcb307b80e708167629dac2f2414b1e36fc81be99640466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bb02ac691df0727d5f8bc90b1ede508b

SHA1
c7cc7c329e9917205c7b80116c62c1fc3def5027

SHA256
25e6cbd341c9c49bac3e4dd2b96a3b71a3fc87752476a1b107fb7fed92ee9c9b

SHA512
5323d32b11441a0346ac8f06696971c8e3c8897bfb6ebd68a3b049e792a4a098b51b20f466d255da4f34e5f12d5d0781e32b2cbf17532a74ae16909c08446084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5f4a17057657646cc4439cc1e6227d61

SHA1
359df5dbbb90a575efce8ccc781d6eabf82db3f0

SHA256
94162d6b46f3ce5d6bae491f839854a47fb592f0a2d517c5b1716b570aa71efc

SHA512
32dd2dae7c8f00fdf7070e483767e7c919b64e33d221875aad105c524147980cbdf146d87ab4cc3819fa3e9cdefabd1c2d51600503857e8bcdc41861d810a1bd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 504816.crdownload

Filesize
502KB

MD5
f5b150d54a0ba2d902974cbfd6249c56

SHA1
92e28c3d9ff4392eed379d816dda6939113830bd

SHA256
1ba41fb95f728823e54159eb05c34a545ddb09cb2d942b8d7b6de29537204a80

SHA512
57aade72ad0b45fdf1a6fdfa99e0d72165a9d3a77efd48c0fb5976ab605f6a395ab9817ea45f1f63994c772529b6b0c6448fa446d68c9859235ce43bf22cb688

Download Submit
memory/1512-196-0x0000000000920000-0x00000000009A4000-memory.dmp

Filesize
528KB

Download
memory/3052-211-0x000000001BC30000-0x000000001BC80000-memory.dmp

Filesize
320KB

Download
memory/3052-212-0x000000001BD40000-0x000000001BDF2000-memory.dmp

Filesize
712KB

Download
memory/3052-213-0x000000001C730000-0x000000001CC58000-memory.dmp

Filesize
5.2MB

Download