quasar | hxxps://mega[.]nz/file/6LxBQSIZ#VB9F45Lo40naof5dSxKSkIAgyC5hik_L0IMmZmW9vWU

Analysis

max time kernel
24s
max time network
28s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-12-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/6LxBQSIZ#VB9F45Lo40naof5dSxKSkIAgyC5hik_L0IMmZmW9vWU

Score

10^/10

quasar office04 defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.56.1:4782

Mutex

db9fc68f-a119-471d-a1da-8c05b040fb69

Attributes

encryption_key
D9A3BCABB4FA96AD64E6D72AF50FD53F0C94DB53
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Minecraft-Microphone-Modfix
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab66-195.dat	family_quasar
behavioral1/memory/4668-208-0x0000000000B10000-0x0000000000E9E000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4668	Mod Fix.exe
228	Client.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Mod Fix.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	Mod Fix.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 31130.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Mod Fix.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2816	schtasks.exe
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe
4900	msedge.exe
4900	msedge.exe
4240	identity_helper.exe
4240	identity_helper.exe
2784	msedge.exe
2784	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3156	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3156	AUDIODG.EXE
Token: SeDebugPrivilege	4668	Mod Fix.exe
Token: SeDebugPrivilege	228	Client.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
228	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1364	4900	msedge.exe	77
PID 4900 wrote to memory of 1364	4900	msedge.exe	77
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3804	4900	msedge.exe	78
PID 4900 wrote to memory of 3568	4900	msedge.exe	79
PID 4900 wrote to memory of 3568	4900	msedge.exe	79
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80
PID 4900 wrote to memory of 4248	4900	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/6LxBQSIZ#VB9F45Lo40naof5dSxKSkIAgyC5hik_L0IMmZmW9vWU
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb03c3cb8,0x7ffdb03c3cc8,0x7ffdb03c3cd8
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6396 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,10748278771322933531,4166893577421909484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Users\Admin\Downloads\Mod Fix.exe
  "C:\Users\Admin\Downloads\Mod Fix.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Minecraft-Microphone-Modfix" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2736
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:228
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Minecraft-Microphone-Modfix" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
5303b4bf743654ba68b6779494aeb724

SHA1
ab17a87e53938234226246ca9593c7bce72d9dfe

SHA256
bca77029b2c74fabc94ee163f7ab8275337e40c06a6c8cf66742bdf008e53151

SHA512
dba95bd69da4106e6c72ec6d8f3f7c5e6f2631974a482a8b9d715d7e5e6b15e13e733474aa0e46f064435ec53550161a646eecc703f625c7cde62bfb34330946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aed4662a33dc269b1cf3829a36659f2f

SHA1
d1cfa5165b4ab41cecb6d5dcbb61b56a4e260b8e

SHA256
5bfa1a51b828893176ca447cf43ec4d96327cac58db7e5b940f6f5ab5054913b

SHA512
f5b24b319913647a843687db8b45a4e6646ffbf5d94e4f1d5e808e7a7bf59c9d7102a866f3db694c080fef39b55adb226eff861858b13910690ef32b255d1340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b5e3d43cd9d65380293ae84e0ec83b4b

SHA1
bc5aae464140bb4cdb17c572f1b6562ef34df406

SHA256
212694a311ada3ba008cdf46ca1e2e489ff4c885aac7e936e4e642d08da83257

SHA512
0b734ec032d33d685df0615355f1db95e6c211ee96f1b9baf4f3b68911c1eeaef19ebbfa81e9b150bdfeca2c1af28ae5b0468397c1c94165fbe88e46bdd80f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d096005209bfa7c61b7b8cb866f47eb

SHA1
e22d5b9a6a3faf4b519fbc481a4e748ac0b4bd73

SHA256
1088be455828b0c3a4a199ce61b157ba87122952106520181f9b6d28d1268115

SHA512
b5e2d63e0181b38753e7714cf4b5c4aabe33936ca5eabf88332808543692cfc9031bdd3546a810ed65cf2b48ff01c87e59887de17ae388558b22fc121e18f610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5c823046a37bdd2f33f9b5a301e85297

SHA1
9285d011e7f2bf0c178714ece8d48f0da30c712d

SHA256
879c157b9dfb2610863c9c85cf80bd45ac1bc0233fbbd81c980d11f3829cb705

SHA512
ce831b0441d9c351c08aaf377bffcea9116a0e8b23096f7c503594b1dd831dbeacaee6960ac03f7ac89733f9825153b0274f10e114c7bd22d79bb07f6c684096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c7a5.TMP

Filesize
48B

MD5
0ca6cd7ec3d22c88745436c76991027f

SHA1
bcfb5e5b5ab4d1ce9c5d8984602751fdb8094398

SHA256
d2be8304e064c52c7913a08198ecf7f194b0c36500055241c43dfbb8ec350f92

SHA512
36d88c0466fbd09202a9d72f87d104a8d514de6720c400e597fbdd768be7268d756f0a25494bbbd6869c7f1cd50098032ccd94c910e656ed45111c5cd85d230f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
296a03e15b4f4838d5b7a7d634a7da2a

SHA1
afa9206a72852c0106239d3c2fc031b569a205d9

SHA256
9005c9273561e028d495e6d2eb767a8b462c87f954d619f8d74e156adf6c139c

SHA512
aa1bd02fd434e97bd9ec69c55f63eacdc176bebe4a72bec408c793756c9f12064d007d1dd08f8b42b5cf3869901a97cd9280f7a9564e02e305603bfb121f10b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c6f1adc9575efe2fdeff8fe8b7639a13

SHA1
6a4230fd0f8924a71c47c1e0919c7b668fcaa0e6

SHA256
a7ef53f15997110428e414a12241ee7b49ff5833f7e6979ef3a5a5dc5a52f867

SHA512
22d4eca204a32e2bd34ee1779bbf2f79a57fbff4f4cb5e8b41c408581a424203f4453431b891836108744ca8970b218043f04d7c5588dbbe12c5201813dd97bd

Download Submit
C:\Users\Admin\Downloads\Mod Fix.exe

Filesize
3.5MB

MD5
5f0e257f8e9438225757c526ddcdbfde

SHA1
df35878b60991fdee690e44254426752158040e9

SHA256
225e4140deac02a808b02d3a885aeb687649353c6a2e22368438c1f8e70bb6f5

SHA512
877ea1e40a42742eda58bbc2374ad7bc2eed03798f5d019fa12033a76e58083df78007bf5ccf2229b8d921ab305704d976efc1ca2f28eadd77423297be1dc603

Download Submit
C:\Users\Admin\Downloads\Mod Fix.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/228-346-0x000000001BA30000-0x000000001BA80000-memory.dmp

Filesize
320KB

Download
memory/228-347-0x000000001BB40000-0x000000001BBF2000-memory.dmp

Filesize
712KB

Download
memory/4668-208-0x0000000000B10000-0x0000000000E9E000-memory.dmp

Filesize
3.6MB

Download