quasar | hxxps://mega[.]nz/file/6LxBQSIZ#VB9F45Lo40naof5dSxKSkIAgyC5hik_L0IMmZmW9vWU

Analysis

max time kernel
26s
max time network
30s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09/12/2024, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/6LxBQSIZ#VB9F45Lo40naof5dSxKSkIAgyC5hik_L0IMmZmW9vWU

Score

10^/10

quasar office04 defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.56.1:4782

Mutex

db9fc68f-a119-471d-a1da-8c05b040fb69

Attributes

encryption_key
D9A3BCABB4FA96AD64E6D72AF50FD53F0C94DB53
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Minecraft-Microphone-Modfix
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ac51-192.dat	family_quasar
behavioral1/memory/4136-205-0x0000000000770000-0x0000000000AFE000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4136	Mod Fix.exe
2516	Client.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Mod Fix.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 874555.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Mod Fix.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	Mod Fix.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
852	schtasks.exe
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
2112	msedge.exe
2112	msedge.exe
2412	identity_helper.exe
2412	identity_helper.exe
1292	msedge.exe
1292	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2320	AUDIODG.EXE
Token: SeDebugPrivilege	4136	Mod Fix.exe
Token: SeDebugPrivilege	2516	Client.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2516	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4948	2112	msedge.exe	77
PID 2112 wrote to memory of 4948	2112	msedge.exe	77
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 4816	2112	msedge.exe	78
PID 2112 wrote to memory of 1920	2112	msedge.exe	79
PID 2112 wrote to memory of 1920	2112	msedge.exe	79
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80
PID 2112 wrote to memory of 236	2112	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/6LxBQSIZ#VB9F45Lo40naof5dSxKSkIAgyC5hik_L0IMmZmW9vWU
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff882223cb8,0x7ff882223cc8,0x7ff882223cd8
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,11411450904771627613,13783889721299429280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Users\Admin\Downloads\Mod Fix.exe
  "C:\Users\Admin\Downloads\Mod Fix.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Minecraft-Microphone-Modfix" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:852
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2516
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Minecraft-Microphone-Modfix" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
bb8199e01ab84933316136397c787847

SHA1
1c8447fb788944cdea93752029c4d365ef12a74b

SHA256
a19a8ad6b6f9aaeb2f5a817c4972df5bdd4bc0cd99fa27fbda4979947db6a70e

SHA512
f8f0b3cad45ddff2416a6dfca107f0fc606066d3bf0b58b350e3b553388abfb898ba1a2161b3fa9ffe6c358caefa49593fd77a83495c2ffe52ac27abf1732cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1a17a79a484eb9e0725d3cbd06c59184

SHA1
142543e2f0fe10a8897008baa35fc78a66c2d21d

SHA256
c4f4e6aa1d7d95e01ae1b01f884c80b57a2cebfb7328ef501b35b32a3217a175

SHA512
1a4fddb8ce3eb8f2c512c517783f5ed0eaf5f797af87802fb3ff0e81fca5b9415a77e8260a20eeee3967d97288864f436acce270e7448f4b00b57a9dad51161c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
39615d02ccfb14600b15a760bbd9d24f

SHA1
541bdc68c072908961ae16ca6f8baf2c21583ff6

SHA256
6945c60919ec6c178e5af5621f2efd4f053bdcc2b0b664343772dbcf116f15de

SHA512
a56c4cc1dd0ae4f5df8c4238373a0f7a7a7a3776e142e9a14e0ba7f5e843e4c87b14b54a2f407bd5edfb4a2afe8a830e80e5dcdf30b8bba45fc1b63a3c21d660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37fe52cc63ea332d1e7d9b17a2722966

SHA1
22342c71b4211a4f6f43fa54f3e76091543b4b16

SHA256
1fd58de36f8d5774579182e50f3fb1ea48130fecadb94153349e6c247217812d

SHA512
43ede3ac380975a4b36ba9473bed2cf94975e9b36aaa323573e9ee14798527101644aae44d7fea9609afd11fdc905c5fab88f45bf4af62cb87128dd21fed2048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
778035c8cf806c3aef69de7f891a8900

SHA1
76ac8b250db9cb56f4ece67e576a3025e1758902

SHA256
8dd6f7a1ccc0eed6f4bcd943169e550ca90d935887d089a9d1ca851915e80cd5

SHA512
396cf60f711d96e90946d4e88d08e9f4d2b559238cdd783a87dc248993774c090948688f82b7440653a8e41ca5c4af5f06e6f26bee001bd1a25678b19a0650af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580e34.TMP

Filesize
48B

MD5
0846a50ebece7031c6045403e1f53d3a

SHA1
6e0acfa47dd628b9b4819ebf2b82983b813d85e8

SHA256
3cc8f5203ecc2ec59e405b1dc96f0d9dddadd650fce9666f7635307f6d979b72

SHA512
f6e04df6e1595b401329b431f1875a3e4042826d2d558ae13408a580ac55199ffda0de0d975a6139efdb7c9b6eb7dd5635f34e3dcb62bbba4d6cfb751b5a465d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eab576fee1a303acee47b00bc11b6b2d

SHA1
afc80a86cce06c0059cd2d5818f4a6b9ddd82cf6

SHA256
b9935b55ce5309211208ff216b4fff0d2bd0fac5aefa1469bd6e1363716a6c43

SHA512
7e8a5599d3776ecd33a0dd605aa88b1b7aac40e6e0c5b8e19df660c48d01cf9c73350219f1554dad9bd3f13339bacc3d43753ee2cf588ae6bd4931d5a6178593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ee8b7fd31a5f20cc1c4fb92f47c0055f

SHA1
34afe95cab759d8edcb0644e03d8d0580b6ad0e4

SHA256
01fa66da04788cad8fff86194bc581480d4e2f2312d9e6c41c0876f3cba7ef7f

SHA512
986c89f35f8c530ba8fca2ffc5a1473d23d8ec2ae2f370a21971c3b7ae8ebff0855a8258bf3d9367540311a024ecf8fa2fb4749b6129f841741e7d02b49eb1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b287b42efa0a260262b29ff6ec8f93ac

SHA1
13e7b38e9c2f227e55ac701e307a809c1f6169f6

SHA256
a8e3acc29f32c2d6131afb742ee5c3506374d713b71439dc485854a419c45a8c

SHA512
5f9707030b918bfdf24a2451c3aac68810a0b7c5b5ec4415fc8bec60f6491c936bfc19cbeafcf767d5e8638bd19914794d411bee8048965187343e82393e0279

Download Submit
C:\Users\Admin\Downloads\Mod Fix.exe

Filesize
3.5MB

MD5
5f0e257f8e9438225757c526ddcdbfde

SHA1
df35878b60991fdee690e44254426752158040e9

SHA256
225e4140deac02a808b02d3a885aeb687649353c6a2e22368438c1f8e70bb6f5

SHA512
877ea1e40a42742eda58bbc2374ad7bc2eed03798f5d019fa12033a76e58083df78007bf5ccf2229b8d921ab305704d976efc1ca2f28eadd77423297be1dc603

Download Submit
C:\Users\Admin\Downloads\Mod Fix.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2516-231-0x000000001BB70000-0x000000001BBC0000-memory.dmp

Filesize
320KB

Download
memory/2516-232-0x000000001C300000-0x000000001C3B2000-memory.dmp

Filesize
712KB

Download
memory/4136-205-0x0000000000770000-0x0000000000AFE000-memory.dmp

Filesize
3.6MB

Download