quasar | hxxps://www[.]mediafire[.]com/file/u41tw9kf0hqa24a/RobloxThank[.]rar/file

Analysis

max time kernel
441s
max time network
449s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/u41tw9kf0hqa24a/RobloxThank.rar/file

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.40.122:4782

rayanneaa-47070.portmap.host:47070

Mutex

fadb7f53-773f-4fb5-a4c6-eb00cc7b35ca

Attributes

encryption_key
F38746D956F52C2D74C5EA46908D0B22D4BB8A0C
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001db06-314.dat	family_quasar
behavioral1/memory/2344-316-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2344	RobloxThank.exe
1808	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3016	schtasks.exe
1156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
4072	identity_helper.exe
4072	identity_helper.exe
4568	msedge.exe
4568	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5868	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	5868	7zFM.exe
Token: 35	5868	7zFM.exe
Token: SeSecurityPrivilege	5868	7zFM.exe
Token: SeDebugPrivilege	2344	RobloxThank.exe
Token: SeDebugPrivilege	1808	Client.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
5868	7zFM.exe
1968	msedge.exe
5868	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1808	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1264	1968	msedge.exe	82
PID 1968 wrote to memory of 1264	1968	msedge.exe	82
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 3796	1968	msedge.exe	83
PID 1968 wrote to memory of 4480	1968	msedge.exe	84
PID 1968 wrote to memory of 4480	1968	msedge.exe	84
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85
PID 1968 wrote to memory of 3344	1968	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/u41tw9kf0hqa24a/RobloxThank.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff952c546f8,0x7ff952c54708,0x7ff952c54718
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,799952292415438752,7067935510518817927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:5992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5208

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5868

C:\Users\Admin\Desktop\RobloxThank.exe
"C:\Users\Admin\Desktop\RobloxThank.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1156
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1808
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0b57fa68-adc7-4800-98b7-4b67b44982fb.tmp

Filesize
8KB

MD5
00fe1a34b25480c03cab12f8ebb3f111

SHA1
6ef45da156d5930ae88a8844ecf8dd5234885cea

SHA256
590c7c3dc160029dbb5229043a8056351dd76c92d586d4c1d29d1f8e28885fe5

SHA512
9e555806473f29387558f09f9ee720b2f6c6d95f56296ac4487083e7000a75c76d065e292d8c5c03109d022bf099169fb3f06433558f4a34b75afa0fe7082938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
004ae54e3ef57c2e5c5f1094b26e0655

SHA1
ab69ffe5ca27794558ea44f53ac0638659c2c140

SHA256
157079451d32e6c742eb764d35db19db1f707029c48919ca53ba842960806e87

SHA512
5a0d357f48812218a5a1c77601144fa68de868a0e9182f5828f8ae052b60b752db2e307976b7e35a51a83985e0a9682542dfbc2f7d1257715dddd55558e5972f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
be44d32017babb8c71f289be6cebab84

SHA1
87fb051de08a0aa02b0c1db69c6d81a42c44fc99

SHA256
ff44bc9209c8a0a212f6389b01bc55d7dc81d51a5abab400968202dad66381fa

SHA512
80b817ffe0bbccc55872f6020de79af08fe657a5a2c1475bed22e14fd5d5f74c035d209118c5a6527f5c85e60ded02e87d0f47442a74d4d42486e2c79dee97a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
62195306a8571905cba19244e5a49893

SHA1
0eab6d540d6871fb72896d1a6e828a3cb7f60006

SHA256
3e62b9dcd06b0f36be0eb8b8b25a337899bf20f5ecdd6c927cb07a3aec7946f8

SHA512
2ec7557d984bcf049c539706a4207098200376dc109afe8756692248690b56b867e3a4b83040f1ec8a526d2991703bf11045a1dab84ef00ede887c16995e77ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0853a18d79501dd3ad8d84fc9daf9495

SHA1
dcea112d10b2752a750ff21148f5218b91454da9

SHA256
2c35979bd7c340b3e79eb0fe5d889fdd1c29a238ab812ed7806d4d55e6dd969a

SHA512
18cd852981fb925066aaede8a75cddf36eea1e302c314eff6146149eeb5fb54741f137dc7fd4094e4e9cf77f4f82ed8f8f3210cb31c4ca4f62defa7d94173a20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
89d22f24e5602c1c7e5a35f0562c3b62

SHA1
173cfd60fcf1b3c1250b79c9011ff4537d1e77e8

SHA256
cfb0aff219e0c1feef558b33ba8ec1d605ac2bd941bf42afdfb67e0a980e015e

SHA512
b41719d312dd0ca1478562a1447eedfdc1cb1d3493551c023bde9e812092271c21120e6999655fabb7070c06286dfab3cc4c237b5c776f9fd1d34ca7b8b1a6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c896a31d31528428573b35fc13089822

SHA1
8cd53acd98df9e686224e73ba2aaff6008dc5a2c

SHA256
d273f4b87ff424d7b9ec447dc7b8cef622282dc82c3cdacc19eacf5d5c363976

SHA512
fc350713b203af4121b7c1a84568c39b5cb9ab8605ee0a1ab36b2a0ca6156d11b1eb72e054ca53094c099bb617491510c34a547c0daa02e178842baf7cbd498d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
53db153fb04d370f72b69bbd1619c359

SHA1
1bc22d1d0919b4f1f6773d3bb2dc7f3fee4afeb6

SHA256
3da686b5e998287c7029b64b96e49b5288f0c5f72677640202d25d3c3fa917b7

SHA512
02e7548955defc49b2fcdbe1f8b9ff42cab0bd7956615b24ae4064052ce1a7506968abb9471576213e5431c4d76b21a7f8c8cd0f127f3e6ea24774a01fe82c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
60a399457dc389fe03c23df5b8c55029

SHA1
b7aaa5ed8c096ccb97478d0e1b6e099cdeb9e691

SHA256
d01d5c39abcc2b65f040da5488013416b1020d8053bf2b8e111b423626287f62

SHA512
1fae3c7806381e7e6b615f6779155c60ab49335ee98bc37d049af11b5643cc2184cab924cb0a0547d4979ff03dd7ed01d8291f4253eb7b183cd3a74554f379f9

Download Submit
C:\Users\Admin\Desktop\RobloxThank.exe

Filesize
3.1MB

MD5
0c91f5201af574c45a4cf08965801234

SHA1
b51e505973089a1cebe8e26fdc1a814b2bbc2c5e

SHA256
6ff96c2bc693e04027aa7bd141d37236cfa32740018b3aebaf21c66c81ae93d9

SHA512
0676e152487b9bf080dbe06068007be853491ae6e9233c1fc78e65d297edd6e5bbd9bb5498fcf76ad9ccc50728ddebbe0623024a826b541ae54eed88b66a92e3

Download Submit
C:\Users\Admin\Downloads\RobloxThank.rar

Filesize
1.0MB

MD5
2e68168a6d9fd4cdf5b583fefdc753e9

SHA1
eb060632d782f570994a0b8963527aaf7d643bac

SHA256
83ab51c9f1efe3de98f5f4451756d15b91857ec04fb7b389d313db4cbab3528b

SHA512
cf4e7e0b62f49398a5dbd703b0e74030a28185f1961cf80b501739b8d159612ab4c6d9706ace3e1a528598e54674391c2e04e954347a5730035f56a904fd174b

Download Submit
memory/1808-322-0x000000001B790000-0x000000001B7E0000-memory.dmp

Filesize
320KB

Download
memory/1808-323-0x000000001BEC0000-0x000000001BF72000-memory.dmp

Filesize
712KB

Download
memory/2344-316-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download