Overview

overview

10

Static

static

1

URLScan

urlscan

https://mega.nz/file...

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://mega.nz/file/JgURyISA#kdcdET2ntmhda02XcRUeXKR-NrNg_JsWr4kilAZovRM

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.0.2.15:4782

Mutex

d850957b-64bd-497d-9f9a-3ee4894ffc1e

Attributes
  • encryption_key

    8F0072332E1ACC25777BCA859650B335CCE8B039

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 28 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/JgURyISA#kdcdET2ntmhda02XcRUeXKR-NrNg_JsWr4kilAZovRM
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda90946f8,0x7ffda9094708,0x7ffda9094718
      2⤵
        PID:2664
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        2⤵
          PID:1968
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2732
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
          2⤵
            PID:232
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
            2⤵
              PID:3612
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
              2⤵
                PID:2816
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4580 /prefetch:8
                2⤵
                  PID:316
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
                  2⤵
                    PID:2128
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:836
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5740 /prefetch:8
                    2⤵
                      PID:448
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
                      2⤵
                        PID:4184
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6240 /prefetch:8
                        2⤵
                          PID:4164
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1856
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
                          2⤵
                            PID:4252
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
                            2⤵
                              PID:1616
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
                              2⤵
                                PID:468
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
                                2⤵
                                  PID:3424
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5075841573406129632,3885930383531697374,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1008 /prefetch:2
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3316
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2344
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:1724
                                  • C:\Windows\system32\AUDIODG.EXE
                                    C:\Windows\system32\AUDIODG.EXE 0x404 0x414
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:920
                                  • C:\Users\Admin\Desktop\paysavecard generator.exe
                                    "C:\Users\Admin\Desktop\paysavecard generator.exe"
                                    1⤵
                                    • NTFS ADS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2996
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                      2⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:708
                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:644
                                      • C:\Windows\SYSTEM32\schtasks.exe
                                        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                        3⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1580
                                  • C:\Users\Admin\Desktop\paysavecard generator.exe
                                    "C:\Users\Admin\Desktop\paysavecard generator.exe"
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5000
                                  • C:\Users\Admin\Desktop\paysavecard generator.exe
                                    "C:\Users\Admin\Desktop\paysavecard generator.exe"
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4852

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\paysavecard generator.exe.log
                                    Filesize

                                    1KB

                                    MD5

                                    baf55b95da4a601229647f25dad12878

                                    SHA1

                                    abc16954ebfd213733c4493fc1910164d825cac8

                                    SHA256

                                    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                    SHA512

                                    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    b8880802fc2bb880a7a869faa01315b0

                                    SHA1

                                    51d1a3fa2c272f094515675d82150bfce08ee8d3

                                    SHA256

                                    467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                    SHA512

                                    e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    ba6ef346187b40694d493da98d5da979

                                    SHA1

                                    643c15bec043f8673943885199bb06cd1652ee37

                                    SHA256

                                    d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                    SHA512

                                    2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                    Filesize

                                    72B

                                    MD5

                                    cefd002689b13d8866d0101bf013dc59

                                    SHA1

                                    6e6834bbe2d0bbb46f5adf44f0af38972aaf8f9f

                                    SHA256

                                    9c9ee5bf9a08c03dc7a82fed244889ef00aedfdb6df00853b71affc714197776

                                    SHA512

                                    75237d2540ae5e0918a20775c4fde95bf7ec6ed0254c5caa0219a046683161232e5eb62cd946d5879b1bdb8873ebb25808fe315cc0253b5b9d5cf197ebbd29cb

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                    Filesize

                                    188B

                                    MD5

                                    008114e1a1a614b35e8a7515da0f3783

                                    SHA1

                                    3c390d38126c7328a8d7e4a72d5848ac9f96549b

                                    SHA256

                                    7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

                                    SHA512

                                    a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    14e2c5363c79ecd977bbfdca8548fa43

                                    SHA1

                                    213fb5a0a2c3f587f847867c6fd2f5652efaa2c3

                                    SHA256

                                    42f599932a2955aba15ca59c5624a48a08db526bd00a0d928c23fd35c01593d0

                                    SHA512

                                    b8c7ffef39cf1e918b7b05a2b1e43355c3cd34db541c7636975700a8e78945a62d1765e323590b95c9834b1f6126066d40fd50b10eb0387bb8ab954031bfec25

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    20afc45fe33e57746af564f4d58d6a1b

                                    SHA1

                                    98982cf0bd104a7ff2ae2f5270ade5cc57d7194d

                                    SHA256

                                    45f3552ad9773dafc482c6d152bb185b1d6146ebf9645f68cd27d41482ae75e0

                                    SHA512

                                    55ea4f8e76bd0d27a8f2beeeccc5c6bf84c2998ec0cd0b1f2aa2e86059675f8d728d0775d9b6ff31540f049a67bfe3ac9b0a2ee97f69750c541ec48ea9784346

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    92a26b381bdc2d87a004b974a35030e6

                                    SHA1

                                    dbcf9b647bb6e82a7b9886db9d2dce8f647ef3d8

                                    SHA256

                                    e5ebb1324ce81f868d6d2055f8d563c600584f6464aec6a97e062bc294411a94

                                    SHA512

                                    f2aa41dff19de40045283250000f37475e1050b6d923808013ce6a03151da62d975b4dcfc4bafc86686a6a09f4f353b54539985314323939c6f4fe8b50b96f87

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
                                    Filesize

                                    41B

                                    MD5

                                    5af87dfd673ba2115e2fcf5cfdb727ab

                                    SHA1

                                    d5b5bbf396dc291274584ef71f444f420b6056f1

                                    SHA256

                                    f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                    SHA512

                                    de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                    Filesize

                                    72B

                                    MD5

                                    121a737fef3f4d27c817334d1134f0f9

                                    SHA1

                                    e1f6ced0cca2e03ffcd82002eb7df0357e806c8d

                                    SHA256

                                    5ed4c5d930959dfab289e2c3dbf4e05c3a2a0ec78231557489cd255dc7f67d99

                                    SHA512

                                    4e50c4899c676436a8262c84a2cd5c65799972f28d01e2ced1ad73070e17c261ee1860b371976deef2ee2173ea1e4f918fb892546c23bc9084cec77e70b234db

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5e8366.TMP
                                    Filesize

                                    48B

                                    MD5

                                    9d195beb234e46dd8d54a5072e6e90ce

                                    SHA1

                                    ec9f4ea0b7d71928c985587d39feef10269f2b31

                                    SHA256

                                    493afaa9b2b301449955007ccfd60b28de0b3f6011d5244b53493834dff2efbd

                                    SHA512

                                    598c7168db0dae0ee29d8ca6df43785cd48625b156c829d5361da6557e4708491b6b02590772ec78c249e4704d9b9408cd48ba3320bd9073c9897cc9ae1d76fd

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    2709875a694c8eb9a201975b9b918d61

                                    SHA1

                                    1f0c35e22e2b11b87be8d71c3a7e3eb6a750c3c7

                                    SHA256

                                    d4771dbc3a472256f1109faa310f26f1fcd720e20ec1c56897c294174681a761

                                    SHA512

                                    d65eb3da7ff80693bff795c91223d89e2eca162f1b16b9d1de11a47359867b8dfe4f61d295e567930d6daffedc3fdec8fe1ad246065a23ca23ed627dae12f12d

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    d5fd79e7beeef5b5174e5086ae624331

                                    SHA1

                                    118b528a5747099ed3efa0f50f89eb9e8b6f9fc5

                                    SHA256

                                    489722b9d6b5bd8b04902b563aa3f0b7dc4d7e41efbd2c5a5ddd73d10a440b55

                                    SHA512

                                    de9933b74dbf931aabdcc1a3b02c3a4e6a7c911b2a319c2989a46568362661a690c0b7eaf11e9a4a4f134044d971709008901d1c136e0dffe5bd3dbd2b6c47db

                                    Download Submit

                                  • C:\Users\Admin\Downloads\paysavecard generator.exe
                                    Filesize

                                    3.1MB

                                    MD5

                                    c7911e8d8567bc72e9729f27ec3fe9ef

                                    SHA1

                                    3fe4aedce153290c9ce3505b00336fbb3f681efd

                                    SHA256

                                    5caa09d74b35631bc9e505bfda7d27e638641543f928be859ba64847342d0125

                                    SHA512

                                    d774bd8b6d14b63624fd8720250e9ffcb34e8c32272425fc9867ed134cd23de18f81a22862dda00268e927fdc4f21f38557822a7d7f7d6fa94ba2f3f0edf711b

                                    Download Submit

                                  • memory/644-176-0x000000001B990000-0x000000001B9E0000-memory.dmp

                                    Filesize

                                    320KB

                                    Download

                                  • memory/644-177-0x000000001C1C0000-0x000000001C272000-memory.dmp

                                    Filesize

                                    712KB

                                    Download

                                  • memory/2996-168-0x00000000003F0000-0x0000000000714000-memory.dmp

                                    Filesize

                                    3.1MB

                                    Download