Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
Fox IT
DECEMBER 13, 2023
This QuarantineEntry is RC4-encrypted and saved to disk in the /ProgramData/Microsoft/Windows Defender/Quarantine/Entries folder. The contents of the malicious file is stored in a QuarantineEntryResourceData file, which is also RC4-encrypted and saved to disk in the /ProgramData/Microsoft/Windows Defender/Quarantine/ResourceData folder.
128 
Let's personalize your content