quasar | hxxps://file[.]io/7H9bgeiUZue0

Analysis

max time kernel
1799s
max time network
1800s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.io/7H9bgeiUZue0

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.0.2.15:4782

192.168.1.126:4782

Mutex

4b84a619-20b8-40e2-8cc5-ca041664030a

Attributes

encryption_key
B586FF2A75C4AA083FD785DCFA4782395F6B94AC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca9-187.dat	family_quasar
behavioral1/memory/5440-226-0x0000000000F50000-0x0000000001274000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
5440	Client-built.exe
5600	Client.exe
5964	Client-built.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 828560.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	Client-built.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5540	schtasks.exe
5712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1648	msedge.exe
1648	msedge.exe
1884	msedge.exe
1884	msedge.exe
3024	identity_helper.exe
3024	identity_helper.exe
5228	msedge.exe
5228	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5440	Client-built.exe
Token: SeDebugPrivilege	5600	Client.exe
Token: SeDebugPrivilege	5964	Client-built.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5600	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3700	1884	msedge.exe	82
PID 1884 wrote to memory of 3700	1884	msedge.exe	82
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 404	1884	msedge.exe	83
PID 1884 wrote to memory of 1648	1884	msedge.exe	84
PID 1884 wrote to memory of 1648	1884	msedge.exe	84
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85
PID 1884 wrote to memory of 4736	1884	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://file.io/7H9bgeiUZue0
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0a8746f8,0x7ffc0a874708,0x7ffc0a874718
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2316 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6436 /prefetch:8
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1701790583334051688,15396950452541320396,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3992 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5364

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:5440
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5540
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5600
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5712

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3cf5358b-430d-4402-be11-c2735433169a.tmp

Filesize
2KB

MD5
51e89bff83176c262e47ab535aad7882

SHA1
273b0ced53d241b5d900ebf29b76e7c019944e3a

SHA256
7204e8134b372e8a0dc1ed0d0bc761195337eabc53891d425009480b32714b16

SHA512
564cc20bdae93db89b0ea3872bca86e746ee3c9cd04293d66faf1257ef31619287502c7d4085d82d2aa97099a17587782d81fc5598e00de6b9d5fadbf6068ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
02c32f069d817afa12c90ea1a1ff12af

SHA1
e0f8a7d2fb83edc11949aa6e2a9416f225eae2c7

SHA256
df7a7614d54d806baa2a07fceca6bb4bf2728c2d3d6ed1e0bc16c3f24b5bcf86

SHA512
0d1a9e5e06271d77f6a49ebe6f2214304f53bc2585ddef975c72a532b584680e115105923a03930666e262e4c045c834e95966e505e347fc2c558fd34a4ad639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
0f1519616c6bace695f94bc21f9c9065

SHA1
51fdf8e952bd53d05e6f87f9ad95525d4d76d34d

SHA256
5e40ada7f99109ab10ab1282ce8ef4dddb78f67c41ad931e2a9592f0441d5dbd

SHA512
6a8b2a3bba6325af7de9d9f43daca9cd01cd1235514f1afa15764513beef6ac70b65fbe6b2f9e7db3cb62cc6dc1d1d2545fa9ca75494e16f9d0708e12e6873a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b658bf8b2ce63387648ccb1bb2809f55

SHA1
f4e51aedfb3460bc6f54bf8a7f59fed2a19eec14

SHA256
5ea900eb556b3c57a49e775ea7f2844ad5cb77a879064d199831b4ca452703fb

SHA512
70206ce98ae5aa59e73993d9e9de7c3c2ceac95c14684273bd45e789bd617d96c73405268d58fddcffea414bbfbed4d317484480f8c5af8b75f767cf47b3d5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7122cde9e9360926f5a61b6a01ca4099

SHA1
b2409c7143909d28d6ac6694e5cda2864561d26b

SHA256
2f32c937ef005b14300c7fe1e637341d9e6319944ef583a61b99e39a871b7b43

SHA512
7bb20048db039080e0e0dbfb4a87f446f7411e3f59a79babec459b4bdfe784c0a4b1421e808346981867e710a72dcc6300568622da1e6f9419f6b25f0400288a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ed001b39ffe678756827dc6f67be6c39

SHA1
3f8f7cf127eec3005091b6b8a45a48c55b43c684

SHA256
2fd2ded0a1cb0f9013d681fa2b8cea37a9ea6aeeb3de6ce7db797e3f0fd7b1e8

SHA512
c0158989c9ce205a1775293512750083ada059c5da3c122a5eb212a600fa50b670867d238a81c90461416c6d638d6614a55723884540a70a25feec6489a95606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2f3a11e2052db28cb919355d3f8f091c

SHA1
bed0293aabebe4df348cb2e1041423f4bfd4bf94

SHA256
d208efabf15f8b9d337dbab5cac37ec75221bbd128d6a201e0dc16970b3dc535

SHA512
cf105f2019049d55f7566f2e59ebc0fd9fec9a4ab0b18c90a16432d15a6a43f403d03befbb5ccf1cfad05948f779adcdcae3550cd293dc6a86a9d587960bd310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d90a.TMP

Filesize
2KB

MD5
5d31a37ffb0000dc7241759a0d1973ee

SHA1
65b3ce46ebb80827c05106205136cc1398e24dd2

SHA256
eb59fe209663d305e9e9893c04522f3bd9a8aa02e839692a923a337a2593a0be

SHA512
ec1669982df4d4ef5f039deb899e21cc25a2a8f07048faf89b1a8e77cb07d22a1a011295b2ec3ccf9a89ca85491274509305b60db405385103ff3390fc04abd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3516527d7133bc6a8b615b6f389c3cb0

SHA1
a7be5b31859ad679a601c3d4d3bfcfaad913199e

SHA256
3a268313d780027b5bd49f28ba153a1e79711bd8e89267aacf48e5e129d04c83

SHA512
16101636229746014573c96fcb34eabf50d5414c812884fd33be570613ac3b9286e49fe808c7e1f9e89bcfd9de3dad73c42e4b12c0d9f2856b3eecf0217517ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
48bb583cd5dcf43c14823a3e671d3bd8

SHA1
b2c4f1c62713a7da3c4880891fa94b0867f719b3

SHA256
4d17732abce4fcae69eb1d1fb7a6fdf1f48a531352f03527a1db33b52888b788

SHA512
6ea120d56983c4798a94d0f08da76ef67037f5e03b4a4ac07ba40ab789ecd82e9bac69a63d967e54268e2ece3f9f4aee43cb5b73b1a5a496d9ae760575efa575

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 828560.crdownload

Filesize
3.1MB

MD5
408a186c06a357a32313784632218d67

SHA1
f326161a0f7e55559ea8124d18cfb199b21a7aad

SHA256
48924ee0f8a88fedaf784980030dc4f9a14e62ea1ef6f9c40fc2c7d6e4d93dfa

SHA512
97a6de7cbd0a08825e9d534a83af767e9d6a9ade1a069af6a5fd2cda300b1b9e56511cd9fb4888292568249e0eca04ad5227106fd6fc9d50e5db3d13df93008e

Download Submit
memory/5440-226-0x0000000000F50000-0x0000000001274000-memory.dmp

Filesize
3.1MB

Download
memory/5600-234-0x000000001BBA0000-0x000000001BC52000-memory.dmp

Filesize
712KB

Download
memory/5600-233-0x000000001B400000-0x000000001B450000-memory.dmp

Filesize
320KB

Download
memory/5600-260-0x000000001C390000-0x000000001C8B8000-memory.dmp

Filesize
5.2MB

Download