Overview

overview

10

Static

static

10

loader.exe

windows10-ltsc 2021-x64

10

loader.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    886s
  • max time network
    901s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-01-2025 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    3.1MB

  • MD5

    f8005ed6248fe1b06c0b17b6e22d25a7

  • SHA1

    905d315d3a227248b89ad1a0389051e8351a6235

  • SHA256

    8f00cd6fa542c1847aa45bc2447421adcbdd0b2d8d5ab6de9b92f20ca14aae37

  • SHA512

    8eb5092b6b28f2651ecf8318535e42606f1fc585b089928ca519a1ce3f7a087755fde07078b0ef9109e8081d78805e339e77bf23e10b79c8ffe040bde6ceaddb

  • SSDEEP

    49152:HvyI22SsaNYfdPBldt698dBcjHb5xNESEJk/ilLoGdzTHHB72eh2NT:Hvf22SsaNYfdPBldt6+dBcjH1xE9

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

26.160.231.118:4782

Mutex

029aecb2-1011-46ca-b46a-5adb92b6bd76

Attributes
  • encryption_key

    446E052D4DC2A4CD1DC163FE5FE65B68BD5EF859

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3212
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3724
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2800
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SendFind.xht
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4040 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:236
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\InvokeAssert.htm
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4140
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff83e5b46f8,0x7ff83e5b4708,0x7ff83e5b4718
      2⤵
        PID:5024
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        2⤵
          PID:5104
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1556
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
          2⤵
            PID:1856
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
            2⤵
              PID:1748
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
              2⤵
                PID:3596
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
                2⤵
                  PID:4736
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
                  2⤵
                    PID:3008
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                    2⤵
                    • Drops file in Program Files directory
                    PID:1744
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff6a6005460,0x7ff6a6005470,0x7ff6a6005480
                      3⤵
                        PID:2408
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3632
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
                      2⤵
                        PID:4296
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
                        2⤵
                          PID:4592
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
                          2⤵
                            PID:1128
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
                            2⤵
                              PID:4512
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
                              2⤵
                                PID:3816
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                                2⤵
                                  PID:4760
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
                                  2⤵
                                    PID:2284
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
                                    2⤵
                                      PID:3688
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6368 /prefetch:8
                                      2⤵
                                        PID:3252
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3540 /prefetch:8
                                        2⤵
                                          PID:3200
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6460 /prefetch:8
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:4316
                                        • C:\Users\Admin\Downloads\loader.exe
                                          "C:\Users\Admin\Downloads\loader.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3064
                                        • C:\Users\Admin\Downloads\loader.exe
                                          "C:\Users\Admin\Downloads\loader.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4364
                                        • C:\Users\Admin\Downloads\loader.exe
                                          "C:\Users\Admin\Downloads\loader.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1156
                                        • C:\Users\Admin\Downloads\loader.exe
                                          "C:\Users\Admin\Downloads\loader.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4880
                                        • C:\Users\Admin\Downloads\loader.exe
                                          "C:\Users\Admin\Downloads\loader.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4636
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,308677343291519401,15391215459809677472,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:1388
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:640
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4296
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:5064
                                            • C:\Users\Admin\Downloads\loader.exe
                                              "C:\Users\Admin\Downloads\loader.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3360
                                            • C:\Users\Admin\Downloads\loader.exe
                                              "C:\Users\Admin\Downloads\loader.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4500
                                            • C:\Users\Admin\Downloads\loader.exe
                                              "C:\Users\Admin\Downloads\loader.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4144

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log
                                              Filesize

                                              1KB

                                              MD5

                                              b08c36ce99a5ed11891ef6fc6d8647e9

                                              SHA1

                                              db95af417857221948eb1882e60f98ab2914bf1d

                                              SHA256

                                              cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

                                              SHA512

                                              07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              c8eb7d84aaea5c0c37cdce43d1ad96dd

                                              SHA1

                                              0a27d004b734e4c486372c6888111b813e806811

                                              SHA256

                                              27ec491fe2b7f0eb567a44deb50c74408376ff3addf6c88a2b1060adc4a5976e

                                              SHA512

                                              f39070a20583f7ff33b7b3c0e97c08da2a3ff36049e256bbe0d0031bf15579c6d9c3da8d1f9daac1073519b648a1d005a8fa195ee2232b2962516e9aa14dac3f

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              d4bc32eb841f2b788106b7b5a44c13f4

                                              SHA1

                                              27868013e809484e5ac5cb21ee306b919ee0916e

                                              SHA256

                                              051cdf1896c2091e9ff822c2118fda400e2de25ee323e856bf9eb0c64c7a7257

                                              SHA512

                                              7a4963ea09832503179642ee750b1c8024373c66b4fce2bd316b782d1fc670c1c77cdb31f9316b34c78b6f3f1c99d90fb50e0500b72f4a647adf7653c44d242b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                              Filesize

                                              144B

                                              MD5

                                              95c23054c091eb72dc45e7ca6364e973

                                              SHA1

                                              79baea3d53d7601081da4006c18ec8fb96726471

                                              SHA256

                                              9f6d5dcef2981e31d68ef7af24a502df826b719b6364016f052ae3c52eb6d348

                                              SHA512

                                              f497b2320d333ffa8a52a78dacd898ea90bec5ae7b0d1aa7421be62c8ece4645cfd740b35d3be219ee86e95c4b780857fc4faeaa64d1d5cb875fbcb351536ead

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe59093d.TMP
                                              Filesize

                                              48B

                                              MD5

                                              f7f22271cc9a7603f09b26158958ce7d

                                              SHA1

                                              4391ec2110e8a2eb3ab8dc115300648c4f9b81b7

                                              SHA256

                                              0a15cf73abf2a13687e6e2a96d4d986f374e4c6fc7407e0814203ca2b87a81f8

                                              SHA512

                                              a558a0adeddb5783bd381beac95b166144647c3421db00e4743983bdcc762235198b28e26e565687b4fd9c5956b1106706935e51bbced7c32460a23f46bb31f6

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
                                              Filesize

                                              70KB

                                              MD5

                                              e5e3377341056643b0494b6842c0b544

                                              SHA1

                                              d53fd8e256ec9d5cef8ef5387872e544a2df9108

                                              SHA256

                                              e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                                              SHA512

                                              83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                              Filesize

                                              469B

                                              MD5

                                              40b4a0aa06266b66339b9905f7c00c21

                                              SHA1

                                              a3b2cd67bff4941b612cea362c55942bd0bb3b23

                                              SHA256

                                              8ebfd1760fc6bbd54610e11a3acc7818a03cdcf28800e886c2daa43d33bf62aa

                                              SHA512

                                              082ed97ace3db6da61427eecf96b98c2d12e87a553ce05bb6dfa8dd51b82f3e68d1bfb3375532d299a1ec8b01e71654938cbfa4a428fe36923f3b7697aab4971

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe597843.TMP
                                              Filesize

                                              59B

                                              MD5

                                              2800881c775077e1c4b6e06bf4676de4

                                              SHA1

                                              2873631068c8b3b9495638c865915be822442c8b

                                              SHA256

                                              226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

                                              SHA512

                                              e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              5KB

                                              MD5

                                              55490213aba925c78f09d79cbb87cd1f

                                              SHA1

                                              2cd90cb8b8b276ebb54d2e091432aa4704f7c904

                                              SHA256

                                              a3cc6bff7ee36247cc97daa8f1bdab4cb693e50611715f8e51dd374128fbf085

                                              SHA512

                                              77d4ee48518153dfdb74ce6dacd07030b84455ff3ffb899a4b1ce760bd3ba4a7332314ba9579fb4fafb465cc83cba361f9a1875325b66c02f3e17e03cb7f4aed

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              5KB

                                              MD5

                                              b6b89977d2a536647b56561729b24c45

                                              SHA1

                                              a6bf574fb9d2e80554b1c071f0aa444ba0bed2bf

                                              SHA256

                                              c1488737e422518df041586996a0926efb0ab8582aadce2764ab0111d7a5db9b

                                              SHA512

                                              10af2272c161ea62875154727ce2ea8ce80ebc244095e06463304f9259aa616df4a5b5c020efed93fb891d71a06bd95fdba0f6d2d142bb768c249e844d297cc1

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              6KB

                                              MD5

                                              e7e650dd4c9274145cd9f85ad7cc75b2

                                              SHA1

                                              de167f05e9910e132ff148cf6568dae87700df80

                                              SHA256

                                              d318fe26f09c7a9dd3a30f86cfc2b6d2877bf9a8cd59c7bc68a98afd91f7d36e

                                              SHA512

                                              6da6ce1c49228affcbd71f44b7830d6a688e2de0ce69f6e726d40d28ac2d0f0269e90da065ace1f16851ce94bfe28637e36416de6d5bdfe2b54e3bd47f9f479b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                              Filesize

                                              24KB

                                              MD5

                                              b321aef296129848c0c2c5c77ee69951

                                              SHA1

                                              402afa01ec8a6990a78514994f9648aedead5817

                                              SHA256

                                              e44d575c1dfcf221b68c84c2cf1d4f1bea45a7e32cd8010228acff6120daff1f

                                              SHA512

                                              cbb689d400fceb2f59d67e9e9d28007d2bb7562cf18f806420a9adbb08e0be5825153a44d4199ed03fc8e87311c2f5d4ab9aec5f3667984572070487475e8642

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                              Filesize

                                              24KB

                                              MD5

                                              6338e51cf2d1cb4bfea21c7d81cb3dc3

                                              SHA1

                                              0049d2863f309423d889fed141ef1f146246ac82

                                              SHA256

                                              2636a794e74289532973b8f1f9c62a0009520dad49951c956dceba846835e0ac

                                              SHA512

                                              ffcbb8f086de4ca9b51f2a86ff75f283afd9a08ba7fdfc16b119f4b80e452579fed0c7d5eb02cda11e6d7c6762ca8d5a1e542e90e106020f530d755933fb3ea2

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              206702161f94c5cd39fadd03f4014d98

                                              SHA1

                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                              SHA256

                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                              SHA512

                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
                                              Filesize

                                              41B

                                              MD5

                                              5af87dfd673ba2115e2fcf5cfdb727ab

                                              SHA1

                                              d5b5bbf396dc291274584ef71f444f420b6056f1

                                              SHA256

                                              f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                              SHA512

                                              de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              46295cac801e5d4857d09837238a6394

                                              SHA1

                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                              SHA256

                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                              SHA512

                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              8KB

                                              MD5

                                              68bce50ecaddc7705e1dcf43185d7057

                                              SHA1

                                              eae2f4fcd8c22da8507a1a77ca1fb12983a811d6

                                              SHA256

                                              1f3a1812f08aadbe029913170fc4716402877c051ddfbf24583e53c6b134c069

                                              SHA512

                                              43ef61c9833d4cda773bbc5cf6b300f89529abe0e5ab1a68e2878756c87200ad6761b452afb5f3b58891ad2c3ca5a92b7c3692eb536ae78b8862a21e1ae01f21

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              10KB

                                              MD5

                                              e258c04c016b63f5571e8b78afbbbd26

                                              SHA1

                                              9d6439d10a8660005665090a95fda5463b797ee5

                                              SHA256

                                              47fe48aaa973a7969e204f37dc47f8eb82b4fa2a80140b91b06af025ede0b71b

                                              SHA512

                                              5ecc7ee2dab8a3e582785e685b5f79f9e2570f60ecc372e92d64dfc643c1b226c07fb2c9e29252de4d6765531f4c33b82748904db10b7509ebbf19988779c991

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
                                              Filesize

                                              3KB

                                              MD5

                                              6ab2038e75c242b495b7f8f450a49dff

                                              SHA1

                                              04a2da4caba2fbdc38010249107a4973e7f0d779

                                              SHA256

                                              166f3b87daac12f8c516c3ec3ee3595d6b552432c0a07566089d1bb877c1efc4

                                              SHA512

                                              31a1619bfebd5e3b655129a652f4b565a06e1b4b674f250dbdc762bd9494d0c6a9158d4883f04ea0e513a852632574b7938d506d92fe673c64cd1254e7e484de

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
                                              Filesize

                                              3KB

                                              MD5

                                              687a9434502736510961fefedae4cfd1

                                              SHA1

                                              dff6bea6985cf6d1fef7a599b4f748cfb1afb7ab

                                              SHA256

                                              5c60c69c945237633fecb62cf32c79e98499ca3d137f19f40144bb51028bc5fb

                                              SHA512

                                              573948f1e9e8363b4c5e2297a2070013ec2f9dbbef4f7093233013b42f4ae05fc667994fce132ad6f7e33c30bcce06202e1b2a32d97bcbe4e1f0beec378a5b05

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                              Filesize

                                              3.1MB

                                              MD5

                                              f8005ed6248fe1b06c0b17b6e22d25a7

                                              SHA1

                                              905d315d3a227248b89ad1a0389051e8351a6235

                                              SHA256

                                              8f00cd6fa542c1847aa45bc2447421adcbdd0b2d8d5ab6de9b92f20ca14aae37

                                              SHA512

                                              8eb5092b6b28f2651ecf8318535e42606f1fc585b089928ca519a1ce3f7a087755fde07078b0ef9109e8081d78805e339e77bf23e10b79c8ffe040bde6ceaddb

                                              Download Submit

                                            • memory/3724-9-0x000000001E470000-0x000000001E522000-memory.dmp

                                              Filesize

                                              712KB

                                              Download

                                            • memory/3724-10-0x00007FF844E10000-0x00007FF8458D2000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/3724-208-0x000000001EDA0000-0x000000001F2C8000-memory.dmp

                                              Filesize

                                              5.2MB

                                              Download

                                            • memory/3724-8-0x000000001E360000-0x000000001E3B0000-memory.dmp

                                              Filesize

                                              320KB

                                              Download

                                            • memory/3724-7-0x00007FF844E10000-0x00007FF8458D2000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/3724-6-0x00007FF844E10000-0x00007FF8458D2000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/4740-0-0x00007FF844E13000-0x00007FF844E15000-memory.dmp

                                              Filesize

                                              8KB

                                              Download

                                            • memory/4740-5-0x00007FF844E10000-0x00007FF8458D2000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/4740-2-0x00007FF844E10000-0x00007FF8458D2000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/4740-1-0x0000000000930000-0x0000000000C54000-memory.dmp

                                              Filesize

                                              3.1MB

                                              Download