Analysis Overview
SHA256
43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e
Threat Level: Known bad
The file Quasar.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-01 22:21
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 22:21
Reported
2023-12-01 22:52
Platform
win11-20231128-en
Max time kernel
1798s
Max time network
1807s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 66003100000000008157fab210005155415341527e312e3100004c0009000400efbe8157eeb28157fab22e000000dca802000000010000000000000000000000000000005b2823015100750061007300610072002000760031002e0034002e00310000001a000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "4" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 66003100000000008157eeb210005155415341527e312e3100004c0009000400efbe8157eeb28157eeb22e000000dba802000000010000000000000000000000000000001a2317015100750061007300610072002e00760031002e0034002e00310000001a000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Quasar.exe
"C:\Users\Admin\AppData\Local\Temp\Quasar.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.0.1638458085\1750171200" -parentBuildID 20221007134813 -prefsHandle 1768 -prefMapHandle 1764 -prefsLen 20806 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97d081f7-c362-4784-8c3c-3dafbe66a364} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 1868 1ff35116658 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.1.580553069\1454555629" -parentBuildID 20221007134813 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 20842 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fa17472-b837-4fac-95a7-562c00b55b41} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2244 1ff33efa558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.2.1624495043\176543632" -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 2828 -prefsLen 20945 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9896c26e-13f9-4f87-8cf3-4d0d817439d6} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2844 1ff392c6c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.3.121291919\1092289604" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26124 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {156b422a-6fba-4e66-8aac-35d0ce5befb9} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 3508 1ff27f5e258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.4.870837767\62852592" -childID 3 -isForBrowser -prefsHandle 4688 -prefMapHandle 4684 -prefsLen 26183 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {928d66f5-cf09-49aa-97e8-79006b861377} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 4720 1ff3b2fa158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.5.807145398\217926177" -childID 4 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51dbe736-72b0-4832-bb5c-f07c189ae6e7} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5328 1ff3b2fce58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.6.1116477458\1265926687" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5320 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9661152e-d84b-44e6-8a0d-dae3a7770c41} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5288 1ff3b89be58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.7.1686810636\328676984" -childID 6 -isForBrowser -prefsHandle 5628 -prefMapHandle 5688 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4f19dc-e37c-4b17-a85b-153112ed7f45} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 5680 1ff3b899158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.8.1807087145\960263319" -childID 7 -isForBrowser -prefsHandle 4860 -prefMapHandle 4752 -prefsLen 26518 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e179ae3-6a28-42b6-8e38-145ec0c0876d} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 4720 1ff3a315b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.9.34196916\1330491773" -childID 8 -isForBrowser -prefsHandle 2940 -prefMapHandle 5552 -prefsLen 26518 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12f04b91-e66d-4d06-bbec-0a36ff311602} 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 2928 1ff369f5558 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.218.220.89:443 | shavar.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:49743 | tcp | |
| N/A | 127.0.0.1:49749 | tcp | |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| NL | 142.251.39.99:443 | id.google.com | tcp |
| NL | 142.251.39.99:443 | id.google.com | udp |
| DE | 172.217.23.206:443 | plus.l.google.com | tcp |
| DE | 172.217.23.206:443 | plus.l.google.com | udp |
| NL | 142.250.179.194:443 | googleads.g.doubleclick.net | tcp |
| NL | 142.250.179.194:443 | googleads.g.doubleclick.net | udp |
| NL | 142.250.179.132:443 | t1.gstatic.com | tcp |
| NL | 142.250.179.132:443 | t1.gstatic.com | tcp |
| NL | 142.250.179.132:443 | t1.gstatic.com | tcp |
| NL | 142.251.39.100:443 | t2.gstatic.com | tcp |
| NL | 142.250.179.132:443 | t1.gstatic.com | tcp |
| US | 8.8.8.8:53 | 132.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.39.251.142.in-addr.arpa | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| DE | 2.22.61.56:80 | ciscobinary.openh264.org | tcp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | tcp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | udp |
| NL | 74.125.8.73:443 | r4.sn-5hneknee.gvt1.com | tcp |
| NL | 74.125.8.73:443 | r4.sn-5hneknee.gvt1.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp | |
| US | 8.8.8.8:4782 | tcp |
Files
memory/4992-0-0x000002DC44280000-0x000002DC443B8000-memory.dmp
memory/4992-1-0x00007FFF67070000-0x00007FFF67B32000-memory.dmp
memory/4992-2-0x000002DC5EC00000-0x000002DC5EC10000-memory.dmp
memory/4992-3-0x00007FFF67070000-0x00007FFF67B32000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 039e30a0b330714d0807614f694df66b |
| SHA1 | 102c4aaf1f8013fc0c95dcdddf40b5e62e5dc808 |
| SHA256 | 0c102c2c417612f4074d50daea4d9607a7dbc3664da9799add81f9b720509fd2 |
| SHA512 | 47bece7633b7d37b944096e427455262d8209020116afc0661de65c5f0ad4fc03cc5d9c0f8d8c130cd8d596701214005ea1b1301f4a9f5f271965f4177bc4a39 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\pending_pings\998d9740-1270-43da-a5d7-62a1c9e37e84
| MD5 | 85b00861af634ad0ac6d81c3bfdbe0ae |
| SHA1 | c43577d295fcfce5aa869978f5f08f05dd99089b |
| SHA256 | 2543a6e0eeda1887818ef34f095019b4a8dda2b8c75c2ea9449f2a5720d8dc5d |
| SHA512 | c28a2260c51997142f4755a59641b5652a96ae4e3104382e7abc86f3ef0e8c67ffd39cee801569473d28e72e64f04f1ac6d867953a143d583934413ad7afeb7c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\datareporting\glean\pending_pings\48bf7a9c-ece6-4c4c-b1a0-efd6625e12ab
| MD5 | bb8ccd513f71655d03a64fab9915ad63 |
| SHA1 | ef8cc1078366f63bd4169a8f01ee93efc55a8e78 |
| SHA256 | b31fb401262df7ddf3fe70e99bfe3389662f08e5b26d3c48de04c08d15bc60dd |
| SHA512 | f1924b107827fc0a86147ccc2c87c181934c6a930d6b60d0be91080d45778b8b133c9098c6c2c0b09fd41889b92378d65ddf94de074b13c237ff40fcf2244d13 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bmp1livs.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | d9c9dfbaf9485188c56c98097df639a7 |
| SHA1 | c353f7cdc3f41cefe233e0105e3519f8493cad3e |
| SHA256 | 7dfda55001da9d98afa0d4e6f7bf9ac43a73b5285dbfc00bbb154c5f17451707 |
| SHA512 | 15e55b1053971765c998b133a8ee2e3ae6bca10744096aeae19d3f14a0d65ac44e73c890db5b69ad2d68b2a2fcc94a160f5decf67c644314ff5112e76b9036b4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js
| MD5 | 824d94492ba92109907d934b706ffb97 |
| SHA1 | f59288571acf5fea2d6a5a8d8f9e3adb84c40768 |
| SHA256 | e07f8da85168c4714bad01fa91f59d6255b7db0bb3d0f4d08e0a37f6134bedde |
| SHA512 | 47a0f944b679efb5652b51b1873a02ef07152df68cdad9b34537a9a65a6749ab318c7dce173926e646cb8622eeaeb684c1cba1697f076533598057e4fcfe6afc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 435b0803f71751307d8003cfb455b959 |
| SHA1 | 2878e28039d91fffb05f36d207557a8ebbcae690 |
| SHA256 | 538e73b092760b9252a816e3a51ef883fcf347dbdcc04c87b84982ac4a83e433 |
| SHA512 | 98cb3bf2b31b19ba9f8992c68c148d09dad87f63697d2466021c9ff693d3727ba6e21d2b631714718ced76775790fa27ed2d7d8cba3531fb7fdd5928ce3883cb |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bmp1livs.default-release\cache2\doomed\4722
| MD5 | c7e31533c3344d20e1aadaa068ca6dfa |
| SHA1 | 42cd512b5687ec73f300a587d7634f18f2f81ba4 |
| SHA256 | c25498aaafd0846c7a3a27fc1081aeb2142e04fb55eaa5106a6f62b6b0a6e496 |
| SHA512 | 1c922bb364e8663708e498e0e4b83f08d45ea39ff048016f7ed823a4824f950c1d87d0a5fcf214eafa9e863c72f39ae422f75a4b32c7d66638704a36313a0630 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | de91d28c6a48338fee6fcbf238e5a0b1 |
| SHA1 | 48d12bc496fd2d7a93ff5f0f6179f79429b43361 |
| SHA256 | 186c564bb131446ac1d0d8489dd5f43aad6236e57962883a4819e4c96778f402 |
| SHA512 | 48672753aacb52bd5dab994b19ae5b52c332a8e2cbd1b96d440e47b305e70a4e6b30cb45cbf9c44aea009c9f899875813a0dcff38a9615406dfcc91fb5587aa6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js
| MD5 | 6fea0893c2830a4a79b0a385d06c247f |
| SHA1 | d54cc5f08a1f3a7549745a1f0b58f8ab0f2ac5c7 |
| SHA256 | 191505a5b38138aabfe6617d77c4d8381a7cb1763868f280125b36fff599cbae |
| SHA512 | 87269ae6aad25ae65fb832b3940860938d70deaf20bc4ace08346e59da599afe612fdc798379e54a484f9e9d1896ce7ad88e5d4e22c65ce0c7c7ad8f874dac6b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3710f8d454b68f692c39ddfa29a6495d |
| SHA1 | e0b754d2762d54f70c634ed17be9404ee31ccdd5 |
| SHA256 | 6d143f64b44da8333b68599be56accd33d9b90df42b14643e8069afae7220ee9 |
| SHA512 | ab697948b3c778cb5082788e37e51e1fe5ae66b00f93660208fc2938cca44c298e415d09fc9c6921123f0e838e1fb674f69f20ca932fa2210d28b0203fd0f7e9 |
C:\Users\Admin\Downloads\Quasar.TQSwQMy3.v1.4.1.zip.part
| MD5 | 13aa4bf4f5ed1ac503c69470b1ede5c1 |
| SHA1 | c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00 |
| SHA256 | 4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62 |
| SHA512 | 767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 27dae0c42ca1be50b239d3bc56209500 |
| SHA1 | 42f25ab6278362a8eba0af43ce84c7b4814ff9d3 |
| SHA256 | 4076ea2c5c3ff2c139f2cf69ba028a95bf6638277290f9b7011175e5bf3d9530 |
| SHA512 | 75aec4f25edf2ea8f593cb74cf9ee10231e6bfddbd8b608be887a0ee9edf545bfb4323b059fae6d722113d0c763e5994e75d0e3379ac9f193436102611390f14 |
memory/2808-453-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp
memory/2808-454-0x0000025616010000-0x0000025616026000-memory.dmp
memory/2808-455-0x0000025617970000-0x0000025617980000-memory.dmp
memory/2808-456-0x0000025617970000-0x0000025617980000-memory.dmp
memory/2808-457-0x0000025617970000-0x0000025617980000-memory.dmp
memory/2808-458-0x0000025617970000-0x0000025617980000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c4773f3bdae089303c176a7ee27eabfe |
| SHA1 | b98d40b805f720c732824bb884de9c29063dfe98 |
| SHA256 | d322ecb4a12f7b4b8a5ff0f358b80b3df8f8c0851eea462067f4477220b68ebc |
| SHA512 | 61855844c01e01a587df24bc5ab956d1a39119436b3b0f8ed43ddf11dad1b7f559d1d0dce3a3323b64d9d1b517ff726a9b035cc8f374297bb020a0059e1542e4 |
memory/2808-467-0x0000025632AD0000-0x0000025632DFE000-memory.dmp
memory/2808-471-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12
| MD5 | fe60f7a00a5a46a06cb58a963cf586f7 |
| SHA1 | 2256ade580675cc083f2105f66a49a3914dfdec7 |
| SHA256 | 16fbfdcbbd262715d43e8a6444cc69803b2e38ed7ac69759b69df7af9a401db5 |
| SHA512 | 4ccc44ce6de449bd1f8cf1b7aa7a72724e87377eefda902c4c6d5c039ab248b4b2e7b810ae365c5115ab072894ba86b5ca6b462ad97326d7f7c96db2bc0e683d |
memory/2808-488-0x0000025630D70000-0x0000025630D88000-memory.dmp
memory/2808-489-0x0000025630DE0000-0x0000025630E30000-memory.dmp
memory/2808-490-0x00000256326C0000-0x0000025632772000-memory.dmp
memory/2808-491-0x0000025630E30000-0x0000025630E7C000-memory.dmp
memory/2808-500-0x0000025617970000-0x0000025617980000-memory.dmp
memory/2808-502-0x0000025617970000-0x0000025617980000-memory.dmp
memory/2808-501-0x0000025617970000-0x0000025617980000-memory.dmp
memory/2808-503-0x0000025617970000-0x0000025617980000-memory.dmp
memory/2808-513-0x0000025617970000-0x0000025617980000-memory.dmp
memory/2808-521-0x0000025617970000-0x0000025617980000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 269c30a6eaf067846eb28bac413675f3 |
| SHA1 | ffb076c623d65759e6edc48ae39c7514fc8196e5 |
| SHA256 | adb9798d605a7ae50f03a6bb96307a592df8de1750c15d47307c290663668cf4 |
| SHA512 | de7c4773fd61c988c6a50112e7ef715a4bb941fb715a31dfd1511f37e01cae7bf95c1c6ba77c8c03b947f24303f39b41b23ce0fc86d022c381940116ee010424 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js
| MD5 | 76d53e50c31b2120ebd423103c3e561b |
| SHA1 | ed1b259ddafcd538978028b1fc2c34c313dfdd1a |
| SHA256 | 4b2373a711857af4d679825e340427b190da2d11e3f0a2716955c8f726bfc4fd |
| SHA512 | 40c0a5c6a7daaa9eeae89a85bb26d89142e5b4682c6b31634b3ea58e92f8d06cd98312a89852bcf80c450f8c6eb1bf9792d25ee6f2829d2c371387af7fe08e82 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
memory/2808-634-0x0000025617970000-0x0000025617980000-memory.dmp
memory/2808-635-0x0000025617970000-0x0000025617980000-memory.dmp
memory/2808-637-0x00000256361B0000-0x00000256361CA000-memory.dmp
memory/2808-636-0x0000025636690000-0x00000256366EE000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
| MD5 | b0f46a28c528f051ffe5f107e6f7da74 |
| SHA1 | 1628f7ce1fd30af121e253b4799f1b0bb742cb38 |
| SHA256 | be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660 |
| SHA512 | 6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7 |
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
| MD5 | b0f46a28c528f051ffe5f107e6f7da74 |
| SHA1 | 1628f7ce1fd30af121e253b4799f1b0bb742cb38 |
| SHA256 | be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660 |
| SHA512 | 6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7 |
memory/3388-679-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp
memory/3388-678-0x0000000000900000-0x0000000000C24000-memory.dmp
memory/3388-680-0x000000001B980000-0x000000001B990000-memory.dmp
C:\Windows\system32\SubDir\Client.exe
| MD5 | b0f46a28c528f051ffe5f107e6f7da74 |
| SHA1 | 1628f7ce1fd30af121e253b4799f1b0bb742cb38 |
| SHA256 | be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660 |
| SHA512 | 6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7 |
C:\Windows\System32\SubDir\Client.exe
| MD5 | b0f46a28c528f051ffe5f107e6f7da74 |
| SHA1 | 1628f7ce1fd30af121e253b4799f1b0bb742cb38 |
| SHA256 | be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660 |
| SHA512 | 6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7 |
memory/3388-686-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp
memory/908-687-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp
memory/908-688-0x000000001B1F0000-0x000000001B200000-memory.dmp
memory/908-694-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml
| MD5 | b6af1da05c1a00991f04f8b898cea532 |
| SHA1 | 24c48b062d8d864eefd32f2d84a36e1a7282e911 |
| SHA256 | f2ef0d8f29904a65ce6dbe29baf9379fb4659afb6930a5af5d9fb88f73b73f41 |
| SHA512 | 2ab2de469911c3fee5b9bbfdbb373e5eb15023bf25b9e1835ebbf5890c66cfd7a06d7d5911e2fb630afadf9b30489e589634cefe52ca4c4156ae24b24c00c8aa |
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
| MD5 | b0f46a28c528f051ffe5f107e6f7da74 |
| SHA1 | 1628f7ce1fd30af121e253b4799f1b0bb742cb38 |
| SHA256 | be1f1122822797f5332c41c8f64f02562c598c48a9ed28a2db8c2f7b9e87a660 |
| SHA512 | 6a12181a537b6026a50d27ae7b5abeeadf3be86cc93dae3fd402a31368cee49ad06dabc6c628cac68d8bfe064a6873f08ff800fef8879f36fe17c9acfbd801e7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
| MD5 | b4e91d2e5f40d5e2586a86cf3bb4df24 |
| SHA1 | 31920b3a41aa4400d4a0230a7622848789b38672 |
| SHA256 | 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210 |
| SHA512 | 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319 |
memory/2772-716-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp
memory/2772-717-0x0000000003090000-0x00000000030A0000-memory.dmp
memory/2772-718-0x00007FFF65A40000-0x00007FFF66502000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionstore.jsonlz4
| MD5 | a3c3b0ae2fc543f94c0a3b27a3aeba88 |
| SHA1 | 60d8f849196c00c2fa43b9f2f06519206e07abf1 |
| SHA256 | 9bf0a11eecb5879022f6814e1600e88b89c12830aee7bfcdcc237043412e395b |
| SHA512 | 2d6fd0736bc24ad08c77a1fd1cac93c3bef8ca2758bf0e1986ecce987e28879eb3f9c1e25f13915d368c339ff9b6f2935cc4f49df1398fe42106cf6093b238a1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\sessionCheckpoints.json
| MD5 | 700fe59d2eb10b8cd28525fcc46bc0cc |
| SHA1 | 339badf0e1eba5332bff317d7cf8a41d5860390d |
| SHA256 | 4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea |
| SHA512 | 3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bmp1livs.default-release\prefs-1.js
| MD5 | 9c66695448f68f7614feecf811d88a04 |
| SHA1 | 05480a6029c87fc982c2922eccdeeec738b7655a |
| SHA256 | 198568fa10132130bd1f524e504da188c6b357fff00f85741c5a165bb110552d |
| SHA512 | 4220888f0b3b7501d45a60a0452edf625f890018222c2f48b4a7d81637ee9b4e9d945933a995f08e4d664608dd42897a5c41c81d90cc12ab4650b4ab9f28e771 |
memory/908-795-0x000000001C7A0000-0x000000001CCC8000-memory.dmp