Analysis

  • max time kernel
    1798s
  • max time network
    1807s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231128-en
  • resource tags

    arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-12-2023 22:21

General

  • Target

    Quasar.exe

  • Size

    1.2MB

  • MD5

    12ebf922aa80d13f8887e4c8c5e7be83

  • SHA1

    7f87a80513e13efd45175e8f2511c2cd17ff51e8

  • SHA256

    43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

  • SHA512

    fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

  • SSDEEP

    12288:IwPs012cBBBYiL9l/bFfpBBBBBBBBBBBBcA:jBBBYiLvzFfpBBBBBBBBBBBBcA

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

8.8.8.8:4782

Mutex

515013e8-abbd-44ab-9101-e876186630fd

Attributes
  • encryption_key

    F6DE1467377AA97CD6B82E38020633777CDA2580

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 9 IoCs
  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 56 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quasar.exe
    "C:\Users\Admin\AppData\Local\Temp\Quasar.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4992
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.0.1638458085\1750171200" -parentBuildID 20221007134813 -prefsHandle 1768 -prefMapHandle 1764 -prefsLen 20806 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97d081f7-c362-4784-8c3c-3dafbe66a364} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 1868 1ff35116658 gpu
        3⤵
          PID:2044
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.1.580553069\1454555629" -parentBuildID 20221007134813 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 20842 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fa17472-b837-4fac-95a7-562c00b55b41} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2244 1ff33efa558 socket
          3⤵
          • Checks processor information in registry
          PID:5112
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.2.1624495043\176543632" -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 2828 -prefsLen 20945 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9896c26e-13f9-4f87-8cf3-4d0d817439d6} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2844 1ff392c6c58 tab
          3⤵
            PID:2648
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.3.121291919\1092289604" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26124 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {156b422a-6fba-4e66-8aac-35d0ce5befb9} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 3508 1ff27f5e258 tab
            3⤵
              PID:4652
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.4.870837767\62852592" -childID 3 -isForBrowser -prefsHandle 4688 -prefMapHandle 4684 -prefsLen 26183 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {928d66f5-cf09-49aa-97e8-79006b861377} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 4720 1ff3b2fa158 tab
              3⤵
                PID:4132
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.5.807145398\217926177" -childID 4 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51dbe736-72b0-4832-bb5c-f07c189ae6e7} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5328 1ff3b2fce58 tab
                3⤵
                  PID:2176
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.6.1116477458\1265926687" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5320 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9661152e-d84b-44e6-8a0d-dae3a7770c41} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5288 1ff3b89be58 tab
                  3⤵
                    PID:712
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.7.1686810636\328676984" -childID 6 -isForBrowser -prefsHandle 5628 -prefMapHandle 5688 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4f19dc-e37c-4b17-a85b-153112ed7f45} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5680 1ff3b899158 tab
                    3⤵
                      PID:4908
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.8.1807087145\960263319" -childID 7 -isForBrowser -prefsHandle 4860 -prefMapHandle 4752 -prefsLen 26518 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e179ae3-6a28-42b6-8e38-145ec0c0876d} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 4720 1ff3a315b58 tab
                      3⤵
                        PID:1660
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.9.34196916\1330491773" -childID 8 -isForBrowser -prefsHandle 2940 -prefMapHandle 5552 -prefsLen 26518 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12f04b91-e66d-4d06-bbec-0a36ff311602} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2928 1ff369f5558 tab
                        3⤵
                          PID:3232
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      1⤵
                        PID:1164
                      • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
                        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
                        1⤵
                        • Modifies registry class
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        PID:2808
                        • C:\Windows\explorer.exe
                          "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
                          2⤵
                            PID:4688
                        • C:\Windows\explorer.exe
                          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious behavior: AddClipboardFormatListener
                          • Suspicious behavior: GetForegroundWindowSpam
                          • Suspicious use of SetWindowsHookEx
                          PID:3516
                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
                          "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"
                          1⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3388
                          • C:\Windows\system32\SubDir\Client.exe
                            "C:\Windows\system32\SubDir\Client.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of SetWindowsHookEx
                            PID:908
                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
                          "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2772

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

                          Filesize

                          1KB

                          MD5

                          b4e91d2e5f40d5e2586a86cf3bb4df24

                          SHA1

                          31920b3a41aa4400d4a0230a7622848789b38672

                          SHA256

                          5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

                          SHA512

                          968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bmp1livs.default-release\activity-stream.discovery_stream.json.tmp

                          Filesize

                          21KB

                          MD5

                          d9c9dfbaf9485188c56c98097df639a7

                          SHA1

                          c353f7cdc3f41cefe233e0105e3519f8493cad3e

                          SHA256

                          7dfda55001da9d98afa0d4e6f7bf9ac43a73b5285dbfc00bbb154c5f17451707

                          SHA512

                          15e55b1053971765c998b133a8ee2e3ae6bca10744096aeae19d3f14a0d65ac44e73c890db5b69ad2d68b2a2fcc94a160f5decf67c644314ff5112e76b9036b4

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bmp1livs.default-release\cache2\doomed\4722

                          Filesize

                          10KB

                          MD5

                          c7e31533c3344d20e1aadaa068ca6dfa

                          SHA1

                          42cd512b5687ec73f300a587d7634f18f2f81ba4

                          SHA256

                          c25498aaafd0846c7a3a27fc1081aeb2142e04fb55eaa5106a6f62b6b0a6e496

                          SHA512

                          1c922bb364e8663708e498e0e4b83f08d45ea39ff048016f7ed823a4824f950c1d87d0a5fcf214eafa9e863c72f39ae422f75a4b32c7d66638704a36313a0630

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                          Filesize

                          442KB

                          MD5

                          85430baed3398695717b0263807cf97c

                          SHA1

                          fffbee923cea216f50fce5d54219a188a5100f41

                          SHA256

                          a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                          SHA512

                          06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                          Filesize

                          8.0MB

                          MD5

                          a01c5ecd6108350ae23d2cddf0e77c17

                          SHA1

                          c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                          SHA256

                          345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                          SHA512

                          b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                          Filesize

                          19KB

                          MD5

                          269c30a6eaf067846eb28bac413675f3

                          SHA1

                          ffb076c623d65759e6edc48ae39c7514fc8196e5

                          SHA256

                          adb9798d605a7ae50f03a6bb96307a592df8de1750c15d47307c290663668cf4

                          SHA512

                          de7c4773fd61c988c6a50112e7ef715a4bb941fb715a31dfd1511f37e01cae7bf95c1c6ba77c8c03b947f24303f39b41b23ce0fc86d022c381940116ee010424

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\db\data.safe.bin

                          Filesize

                          2KB

                          MD5

                          039e30a0b330714d0807614f694df66b

                          SHA1

                          102c4aaf1f8013fc0c95dcdddf40b5e62e5dc808

                          SHA256

                          0c102c2c417612f4074d50daea4d9607a7dbc3664da9799add81f9b720509fd2

                          SHA512

                          47bece7633b7d37b944096e427455262d8209020116afc0661de65c5f0ad4fc03cc5d9c0f8d8c130cd8d596701214005ea1b1301f4a9f5f271965f4177bc4a39

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\pending_pings\48bf7a9c-ece6-4c4c-b1a0-efd6625e12ab

                          Filesize

                          10KB

                          MD5

                          bb8ccd513f71655d03a64fab9915ad63

                          SHA1

                          ef8cc1078366f63bd4169a8f01ee93efc55a8e78

                          SHA256

                          b31fb401262df7ddf3fe70e99bfe3389662f08e5b26d3c48de04c08d15bc60dd

                          SHA512

                          f1924b107827fc0a86147ccc2c87c181934c6a930d6b60d0be91080d45778b8b133c9098c6c2c0b09fd41889b92378d65ddf94de074b13c237ff40fcf2244d13

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\pending_pings\998d9740-1270-43da-a5d7-62a1c9e37e84

                          Filesize

                          746B

                          MD5

                          85b00861af634ad0ac6d81c3bfdbe0ae

                          SHA1

                          c43577d295fcfce5aa869978f5f08f05dd99089b

                          SHA256

                          2543a6e0eeda1887818ef34f095019b4a8dda2b8c75c2ea9449f2a5720d8dc5d

                          SHA512

                          c28a2260c51997142f4755a59641b5652a96ae4e3104382e7abc86f3ef0e8c67ffd39cee801569473d28e72e64f04f1ac6d867953a143d583934413ad7afeb7c

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                          Filesize

                          997KB

                          MD5

                          fe3355639648c417e8307c6d051e3e37

                          SHA1

                          f54602d4b4778da21bc97c7238fc66aa68c8ee34

                          SHA256

                          1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                          SHA512

                          8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                          Filesize

                          116B

                          MD5

                          3d33cdc0b3d281e67dd52e14435dd04f

                          SHA1

                          4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                          SHA256

                          f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                          SHA512

                          a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                          Filesize

                          479B

                          MD5

                          49ddb419d96dceb9069018535fb2e2fc

                          SHA1

                          62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                          SHA256

                          2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                          SHA512

                          48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                          Filesize

                          372B

                          MD5

                          8be33af717bb1b67fbd61c3f4b807e9e

                          SHA1

                          7cf17656d174d951957ff36810e874a134dd49e0

                          SHA256

                          e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                          SHA512

                          6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                          Filesize

                          11.8MB

                          MD5

                          33bf7b0439480effb9fb212efce87b13

                          SHA1

                          cee50f2745edc6dc291887b6075ca64d716f495a

                          SHA256

                          8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                          SHA512

                          d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                          Filesize

                          1KB

                          MD5

                          688bed3676d2104e7f17ae1cd2c59404

                          SHA1

                          952b2cdf783ac72fcb98338723e9afd38d47ad8e

                          SHA256

                          33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                          SHA512

                          7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                          Filesize

                          1KB

                          MD5

                          937326fead5fd401f6cca9118bd9ade9

                          SHA1

                          4526a57d4ae14ed29b37632c72aef3c408189d91

                          SHA256

                          68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                          SHA512

                          b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js

                          Filesize

                          7KB

                          MD5

                          76d53e50c31b2120ebd423103c3e561b

                          SHA1

                          ed1b259ddafcd538978028b1fc2c34c313dfdd1a

                          SHA256

                          4b2373a711857af4d679825e340427b190da2d11e3f0a2716955c8f726bfc4fd

                          SHA512

                          40c0a5c6a7daaa9eeae89a85bb26d89142e5b4682c6b31634b3ea58e92f8d06cd98312a89852bcf80c450f8c6eb1bf9792d25ee6f2829d2c371387af7fe08e82

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js

                          Filesize

                          7KB

                          MD5

                          9c66695448f68f7614feecf811d88a04

                          SHA1

                          05480a6029c87fc982c2922eccdeeec738b7655a

                          SHA256

                          198568fa10132130bd1f524e504da188c6b357fff00f85741c5a165bb110552d

                          SHA512

                          4220888f0b3b7501d45a60a0452edf625f890018222c2f48b4a7d81637ee9b4e9d945933a995f08e4d664608dd42897a5c41c81d90cc12ab4650b4ab9f28e771

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js

                          Filesize

                          6KB

                          MD5

                          824d94492ba92109907d934b706ffb97

                          SHA1

                          f59288571acf5fea2d6a5a8d8f9e3adb84c40768

                          SHA256

                          e07f8da85168c4714bad01fa91f59d6255b7db0bb3d0f4d08e0a37f6134bedde

                          SHA512

                          47a0f944b679efb5652b51b1873a02ef07152df68cdad9b34537a9a65a6749ab318c7dce173926e646cb8622eeaeb684c1cba1697f076533598057e4fcfe6afc

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js

                          Filesize

                          6KB

                          MD5

                          6fea0893c2830a4a79b0a385d06c247f

                          SHA1

                          d54cc5f08a1f3a7549745a1f0b58f8ab0f2ac5c7

                          SHA256

                          191505a5b38138aabfe6617d77c4d8381a7cb1763868f280125b36fff599cbae

                          SHA512

                          87269ae6aad25ae65fb832b3940860938d70deaf20bc4ace08346e59da599afe612fdc798379e54a484f9e9d1896ce7ad88e5d4e22c65ce0c7c7ad8f874dac6b

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionCheckpoints.json

                          Filesize

                          259B

                          MD5

                          700fe59d2eb10b8cd28525fcc46bc0cc

                          SHA1

                          339badf0e1eba5332bff317d7cf8a41d5860390d

                          SHA256

                          4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

                          SHA512

                          3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          5KB

                          MD5

                          de91d28c6a48338fee6fcbf238e5a0b1

                          SHA1

                          48d12bc496fd2d7a93ff5f0f6179f79429b43361

                          SHA256

                          186c564bb131446ac1d0d8489dd5f43aad6236e57962883a4819e4c96778f402

                          SHA512

                          48672753aacb52bd5dab994b19ae5b52c332a8e2cbd1b96d440e47b305e70a4e6b30cb45cbf9c44aea009c9f899875813a0dcff38a9615406dfcc91fb5587aa6

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          6KB

                          MD5

                          27dae0c42ca1be50b239d3bc56209500

                          SHA1

                          42f25ab6278362a8eba0af43ce84c7b4814ff9d3

                          SHA256

                          4076ea2c5c3ff2c139f2cf69ba028a95bf6638277290f9b7011175e5bf3d9530

                          SHA512

                          75aec4f25edf2ea8f593cb74cf9ee10231e6bfddbd8b608be887a0ee9edf545bfb4323b059fae6d722113d0c763e5994e75d0e3379ac9f193436102611390f14

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          3KB

                          MD5

                          435b0803f71751307d8003cfb455b959

                          SHA1

                          2878e28039d91fffb05f36d207557a8ebbcae690

                          SHA256

                          538e73b092760b9252a816e3a51ef883fcf347dbdcc04c87b84982ac4a83e433

                          SHA512

                          98cb3bf2b31b19ba9f8992c68c148d09dad87f63697d2466021c9ff693d3727ba6e21d2b631714718ced76775790fa27ed2d7d8cba3531fb7fdd5928ce3883cb

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          6KB

                          MD5

                          3710f8d454b68f692c39ddfa29a6495d

                          SHA1

                          e0b754d2762d54f70c634ed17be9404ee31ccdd5

                          SHA256

                          6d143f64b44da8333b68599be56accd33d9b90df42b14643e8069afae7220ee9

                          SHA512

                          ab697948b3c778cb5082788e37e51e1fe5ae66b00f93660208fc2938cca44c298e415d09fc9c6921123f0e838e1fb674f69f20ca932fa2210d28b0203fd0f7e9

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          6KB

                          MD5

                          c4773f3bdae089303c176a7ee27eabfe

                          SHA1

                          b98d40b805f720c732824bb884de9c29063dfe98

                          SHA256

                          d322ecb4a12f7b4b8a5ff0f358b80b3df8f8c0851eea462067f4477220b68ebc

                          SHA512

                          61855844c01e01a587df24bc5ab956d1a39119436b3b0f8ed43ddf11dad1b7f559d1d0dce3a3323b64d9d1b517ff726a9b035cc8f374297bb020a0059e1542e4

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore.jsonlz4

                          Filesize

                          6KB

                          MD5

                          a3c3b0ae2fc543f94c0a3b27a3aeba88

                          SHA1

                          60d8f849196c00c2fa43b9f2f06519206e07abf1

                          SHA256

                          9bf0a11eecb5879022f6814e1600e88b89c12830aee7bfcdcc237043412e395b

                          SHA512

                          2d6fd0736bc24ad08c77a1fd1cac93c3bef8ca2758bf0e1986ecce987e28879eb3f9c1e25f13915d368c339ff9b6f2935cc4f49df1398fe42106cf6093b238a1

                        • C:\Users\Admin\Downloads\Quasar.TQSwQMy3.v1.4.1.zip.part

                          Filesize

                          3.3MB

                          MD5

                          13aa4bf4f5ed1ac503c69470b1ede5c1

                          SHA1

                          c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

                          SHA256

                          4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

                          SHA512

                          767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

                          Filesize

                          3.1MB

                          MD5

                          b0f46a28c528f051ffe5f107e6f7da74

                          SHA1

                          1628f7ce1fd30af121e253b4799f1b0bb742cb38

                          SHA256

                          be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660

                          SHA512

                          6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7

                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

                          Filesize

                          3.1MB

                          MD5

                          b0f46a28c528f051ffe5f107e6f7da74

                          SHA1

                          1628f7ce1fd30af121e253b4799f1b0bb742cb38

                          SHA256

                          be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660

                          SHA512

                          6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7

                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

                          Filesize

                          3.1MB

                          MD5

                          b0f46a28c528f051ffe5f107e6f7da74

                          SHA1

                          1628f7ce1fd30af121e253b4799f1b0bb742cb38

                          SHA256

                          be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660

                          SHA512

                          6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7

                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12

                          Filesize

                          4KB

                          MD5

                          fe60f7a00a5a46a06cb58a963cf586f7

                          SHA1

                          2256ade580675cc083f2105f66a49a3914dfdec7

                          SHA256

                          16fbfdcbbd262715d43e8a6444cc69803b2e38ed7ac69759b69df7af9a401db5

                          SHA512

                          4ccc44ce6de449bd1f8cf1b7aa7a72724e87377eefda902c4c6d5c039ab248b4b2e7b810ae365c5115ab072894ba86b5ca6b462ad97326d7f7c96db2bc0e683d

                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml

                          Filesize

                          373B

                          MD5

                          b6af1da05c1a00991f04f8b898cea532

                          SHA1

                          24c48b062d8d864eefd32f2d84a36e1a7282e911

                          SHA256

                          f2ef0d8f29904a65ce6dbe29baf9379fb4659afb6930a5af5d9fb88f73b73f41

                          SHA512

                          2ab2de469911c3fee5b9bbfdbb373e5eb15023bf25b9e1835ebbf5890c66cfd7a06d7d5911e2fb630afadf9b30489e589634cefe52ca4c4156ae24b24c00c8aa

                        • C:\Windows\System32\SubDir\Client.exe

                          Filesize

                          3.1MB

                          MD5

                          b0f46a28c528f051ffe5f107e6f7da74

                          SHA1

                          1628f7ce1fd30af121e253b4799f1b0bb742cb38

                          SHA256

                          be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660

                          SHA512

                          6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7

                        • C:\Windows\system32\SubDir\Client.exe

                          Filesize

                          3.1MB

                          MD5

                          b0f46a28c528f051ffe5f107e6f7da74

                          SHA1

                          1628f7ce1fd30af121e253b4799f1b0bb742cb38

                          SHA256

                          be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660

                          SHA512

                          6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7

                        • memory/908-687-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/908-688-0x000000001B1F0000-0x000000001B200000-memory.dmp

                          Filesize

                          64KB

                        • memory/908-694-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/908-795-0x000000001C7A0000-0x000000001CCC8000-memory.dmp

                          Filesize

                          5.2MB

                        • memory/2772-718-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2772-716-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2772-717-0x0000000003090000-0x00000000030A0000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-455-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-490-0x00000256326C0000-0x0000025632772000-memory.dmp

                          Filesize

                          712KB

                        • memory/2808-513-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-503-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-501-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-634-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-635-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-637-0x00000256361B0000-0x00000256361CA000-memory.dmp

                          Filesize

                          104KB

                        • memory/2808-636-0x0000025636690000-0x00000256366EE000-memory.dmp

                          Filesize

                          376KB

                        • memory/2808-502-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-500-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-453-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2808-454-0x0000025616010000-0x0000025616026000-memory.dmp

                          Filesize

                          88KB

                        • memory/2808-456-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-491-0x0000025630E30000-0x0000025630E7C000-memory.dmp

                          Filesize

                          304KB

                        • memory/2808-521-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-457-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/2808-489-0x0000025630DE0000-0x0000025630E30000-memory.dmp

                          Filesize

                          320KB

                        • memory/2808-488-0x0000025630D70000-0x0000025630D88000-memory.dmp

                          Filesize

                          96KB

                        • memory/2808-471-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2808-467-0x0000025632AD0000-0x0000025632DFE000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/2808-458-0x0000025617970000-0x0000025617980000-memory.dmp

                          Filesize

                          64KB

                        • memory/3388-686-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/3388-680-0x000000001B980000-0x000000001B990000-memory.dmp

                          Filesize

                          64KB

                        • memory/3388-678-0x0000000000900000-0x0000000000C24000-memory.dmp

                          Filesize

                          3.1MB

                        • memory/3388-679-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4992-0-0x000002DC44280000-0x000002DC443B8000-memory.dmp

                          Filesize

                          1.2MB

                        • memory/4992-3-0x00007FFF67070000-0x00007FFF67B32000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4992-2-0x000002DC5EC00000-0x000002DC5EC10000-memory.dmp

                          Filesize

                          64KB

                        • memory/4992-1-0x00007FFF67070000-0x00007FFF67B32000-memory.dmp

                          Filesize

                          10.8MB