Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://gofile.io/d/...

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250207-en
  • resource tags

    arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-02-2025 02:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://gofile.io/d/Qghnbe

Score
10/10
quasaroffice04defense_evasiondiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

98.218.3.74:4782

Mutex

50e9068f-e8d9-4363-bf89-859954325430

Attributes
  • encryption_key

    3F9AC61EC3C7AFC94074BECB23299DD92BEDC742

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Bob

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Qghnbe
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff865753cb8,0x7ff865753cc8,0x7ff865753cd8
      2⤵
        PID:2540
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
        2⤵
          PID:3684
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
          2⤵
          • Downloads MZ/PE file
          • Suspicious behavior: EnumeratesProcesses
          PID:776
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
          2⤵
            PID:4392
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
            2⤵
              PID:4784
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
              2⤵
                PID:3344
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
                2⤵
                  PID:672
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:448
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
                  2⤵
                    PID:4548
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
                    2⤵
                      PID:2268
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5332 /prefetch:8
                      2⤵
                        PID:3580
                      • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
                        2⤵
                          PID:3688
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4200
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
                          2⤵
                          • Subvert Trust Controls: Mark-of-the-Web Bypass
                          • NTFS ADS
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3056
                        • C:\Users\Admin\Downloads\Client-built.exe
                          "C:\Users\Admin\Downloads\Client-built.exe"
                          2⤵
                          • Executes dropped EXE
                          • NTFS ADS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1140
                          • C:\Windows\SYSTEM32\schtasks.exe
                            "schtasks" /create /tn "Bob" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                            3⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:4936
                          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:3136
                            • C:\Windows\SYSTEM32\schtasks.exe
                              "schtasks" /create /tn "Bob" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                              4⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:1864
                        • C:\Users\Admin\Downloads\Client-built.exe
                          "C:\Users\Admin\Downloads\Client-built.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1976
                        • C:\Users\Admin\Downloads\Client-built.exe
                          "C:\Users\Admin\Downloads\Client-built.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4596
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
                          2⤵
                            PID:3480
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
                            2⤵
                              PID:3448
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
                              2⤵
                                PID:1620
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
                                2⤵
                                  PID:1604
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,11074643778628093087,18090173642131061803,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4600 /prefetch:2
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:872
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2252
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3560
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:1132
                                    • C:\Users\Admin\Downloads\Client-built.exe
                                      "C:\Users\Admin\Downloads\Client-built.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3848
                                    • C:\Users\Admin\Downloads\Client-built.exe
                                      "C:\Users\Admin\Downloads\Client-built.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1608
                                    • C:\Users\Admin\Downloads\Client-built.exe
                                      "C:\Users\Admin\Downloads\Client-built.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4920
                                    • C:\Users\Admin\Downloads\Client-built.exe
                                      "C:\Users\Admin\Downloads\Client-built.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3060

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
                                      Filesize

                                      1KB

                                      MD5

                                      b4e91d2e5f40d5e2586a86cf3bb4df24

                                      SHA1

                                      31920b3a41aa4400d4a0230a7622848789b38672

                                      SHA256

                                      5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

                                      SHA512

                                      968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      066befaf57a1c901c7c885b1996d027f

                                      SHA1

                                      25913cbfb3aadb0c7e28307f4d622296241fb1d4

                                      SHA256

                                      c3d2a6b2ef9f2bf15c227ea6008aba027c9b042ad63b2f243972df4cc86f3e6f

                                      SHA512

                                      6ebc8096cad307863ca43dff3cb3ddd3dc2acd701bceefc7eca6411efa1b7a1fbafbe856ed9aede6dbb8a145887ded344b013d3e20d6950749f5f1d3ac126c6e

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      4ad7e2823ed71b5f41dbe2e9db624220

                                      SHA1

                                      e3b873970c0af4dfda35b103b11966c64f71afb8

                                      SHA256

                                      9a6b7133374433f1ac7479b4d275efd79962d44e8c3f02d00e91712c7cf33a84

                                      SHA512

                                      aee44a4b77189040c7a62ec6135dd761b983a266414c19f681ecba19812f5a863310d1bfee4041b1537b0098ec455931569e80bc5e2e8b1f075e294d3e445c62

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\45f92812-3247-4daa-a8f1-169e5196d148.tmp
                                      Filesize

                                      5KB

                                      MD5

                                      a808fd6a6ee87fdcd69445cb7fa37c26

                                      SHA1

                                      6f09b81c0be8bcb4269ff40b1dc8b3659143debc

                                      SHA256

                                      ccd0eda8791babe2842edb2fcdecbbf8c5b462dc7cac6beea340bc7b639d878e

                                      SHA512

                                      0f3d396c154e9737ff0193a42f4d70c7a9a6e0a1ca93d06fd8dc43fdc6f81996a1c2ec8ec37c7952dc9ddb7da0b92145eaa946d0f9716683225660bfd7ebb6f8

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                      Filesize

                                      144B

                                      MD5

                                      82b9286cf5be698f548217fcdadc9905

                                      SHA1

                                      a2e9cdb657cd9f678d8f1308dc699c029858840b

                                      SHA256

                                      1e4fc9363d349ad03b27fa2292b68e03778e6994bf1e9c80294fdf89760bbed1

                                      SHA512

                                      39e0e002a52713098b73d45280c06ddbb88fa411e05ddb4fa37b8e578269605c934df8d2b9b7ea45560a7a0983507041e63cf6fa58e79ad55ba713ba70a69b18

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      f8f2bbae0fe504686dab39399f769408

                                      SHA1

                                      ca5b6a2f6f888ecd522d7006687e938f429f0772

                                      SHA256

                                      c4d1acd5b79e61b4b9e8643e0b88efd8939e107f0eba814914cd625bd3f6f89f

                                      SHA512

                                      192ca1e8ef8282b364a0483dde5532ea48dfccfd4f2a0b0895fd3732ffb94f6a27d0ec50ce699ddfaaa43209b260e98484ac183111c0f1ab8e5d547d3b30c567

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c689ca07-0fed-4378-90b2-bd00332078ca.tmp
                                      Filesize

                                      391B

                                      MD5

                                      0f6d48d28f3398c4f70388657884288f

                                      SHA1

                                      296a46a341d8fa303970053f713b27277ba0f139

                                      SHA256

                                      023d03a2f36fac62c6a15b3cbb3c419a1299f32446831e615eefd08303674cf6

                                      SHA512

                                      a26af5692fa87154e2e2cbb15b307eb1a9cf4f11ef0881d55a3bb36da4c19d85917887098c3b801d61f0fae9e5731aa56d339a44397a8a0299ec4811d8e94f64

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      46295cac801e5d4857d09837238a6394

                                      SHA1

                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                      SHA256

                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                      SHA512

                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      206702161f94c5cd39fadd03f4014d98

                                      SHA1

                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                      SHA256

                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                      SHA512

                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      11KB

                                      MD5

                                      4641d76204439715a738023bd18729ba

                                      SHA1

                                      8fc7c9584944c781af072e09e92bda7482d77183

                                      SHA256

                                      295d503942349bd9f0e1cef753b5004acdfbfe3e40b5440bd3ce03e5476e5ed6

                                      SHA512

                                      ea76a6f697917a82543af011aa1f75f872578ce5564298a4b5936ff9c7ae0412052dfd507fcfc67e22d2b299c4bd24d8ee8e2e7efd9f34eba5062d1e7222e6e9

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      11KB

                                      MD5

                                      48f9aee85d26649bd7f33ea0a251554e

                                      SHA1

                                      cc12fa61f5070ef7a7c39cd66e07e3fae4572eab

                                      SHA256

                                      5b789ae7929e620fd9184e7dd444eb2fefb1773ee4a318cb8099d7f4e66c647f

                                      SHA512

                                      81bb9fa1a7e8432b80eb71502577d3e304c3437fbed15a72972508fc5a80bf76260eb09307d59269ea1cdeffe3e6624d0d97237743608d450e55f3ae7a4dbf06

                                      Download Submit

                                    • C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier
                                      Filesize

                                      26B

                                      MD5

                                      fbccf14d504b7b2dbcb5a5bda75bd93b

                                      SHA1

                                      d59fc84cdd5217c6cf74785703655f78da6b582b

                                      SHA256

                                      eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                      SHA512

                                      aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                      Download Submit

                                    • C:\Users\Admin\Downloads\Unconfirmed 116891.crdownload
                                      Filesize

                                      3.1MB

                                      MD5

                                      bb1c4dce21f5c456bd7a5e9fd4d97588

                                      SHA1

                                      591fae4f6bdebcaf83ccc1bea37113956b373ad1

                                      SHA256

                                      781d04dfdbfc7d4ac681f23fc8501b29390c42874e59a647273790e3cc073ce0

                                      SHA512

                                      a01d016fb7afdae41787ff8d8d5de355f040fbbd6789ad845d089116c6e0092aeab95cf91ee7e4dbda4dada1c082e9003d61acbfafe4dfa203fa5b999d161b6c

                                      Download Submit

                                    • memory/1140-99-0x0000000000EA0000-0x00000000011C4000-memory.dmp

                                      Filesize

                                      3.1MB

                                      Download

                                    • memory/3136-108-0x000000001C770000-0x000000001C822000-memory.dmp

                                      Filesize

                                      712KB

                                      Download

                                    • memory/3136-107-0x00000000033A0000-0x00000000033F0000-memory.dmp

                                      Filesize

                                      320KB

                                      Download