Analysis Overview
SHA256
b76679275457665ff82c8fc110933f860ff555280420c81c76dc2328110da6d6
Threat Level: Known bad
The file dream_TradingCard (3).jpg was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Gathers network information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-14 15:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-14 15:16
Reported
2023-12-14 15:17
Platform
win7-20231201-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-14 15:16
Reported
2023-12-14 15:47
Platform
win10v2004-20231127-en
Max time kernel
1799s
Max time network
1691s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Windows\system32\SubDir\Client.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\Client.exe | N/A |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2037190880-819243489-950462038-1000\{223C7C70-2D82-4223-8034-3F14F2137892} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "4" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\dream_TradingCard (3).jpg"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9193646f8,0x7ff919364708,0x7ff919364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5828 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5532 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6192 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6524 /prefetch:2
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\ipconfig.exe
ipconfig
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SystemShell" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SystemShell" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 92.123.128.136:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 136.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 92.123.128.185:443 | r.bing.com | tcp |
| US | 92.123.128.185:443 | r.bing.com | tcp |
| US | 92.123.128.143:443 | th.bing.com | tcp |
| US | 92.123.128.143:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 185.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 40.126.31.73:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 6.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dynupdate.no-ip.com | udp |
| US | 158.247.7.204:443 | dynupdate.no-ip.com | tcp |
| US | 8.8.8.8:53 | 204.7.247.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dynupdate.no-ip.com | udp |
| US | 158.247.7.204:443 | dynupdate.no-ip.com | tcp |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| US | 8.8.8.8:53 | dynupdate.no-ip.com | udp |
| US | 158.247.7.204:443 | dynupdate.no-ip.com | tcp |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp | |
| N/A | 10.127.0.135:4782 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e5c27b4a4d5a3c9c60ba18cb867266e3 |
| SHA1 | dea55f1d4cdc831f943f4e56f4f8e9a926777600 |
| SHA256 | 860ed0acc83eb0096cc8911725e2c631ff879ad8c35854577651af502c4b69c9 |
| SHA512 | 56eda28e9c61e8081dadc220d23e7bb3320a9ba557eb7511d17a3d2836aa61f301d1d714a3d611eedd7c4b91886c790af7366b01acdb3b637f3dc4fb024f3f6b |
\??\pipe\LOCAL\crashpad_1812_CUEICVOZCZMOGROZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 601674c72ab6432255af673b850fcb6d |
| SHA1 | 9d966cb6e50342ecdf42788e748fa34b1d1c0550 |
| SHA256 | 4e55bf87d293ec916aa3acc02917c7614c91755737184347166b669c229744e8 |
| SHA512 | 69caa304301a860c399d1010dddf4363d78b859f0c662849ec562c30f60b7d5f392999c278efd5ac6aa560d4aaae4fc14aa20724d686611e8500bc3bd1188c84 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 325494bf6ddd22186090bd03431f880e |
| SHA1 | bf9ff425f9c5e96b52a06611ef197e8138fbc875 |
| SHA256 | fe4c130a1ea56f60f361071cf104d92b7b8c4738e7971d7e9c1156c01a14cc15 |
| SHA512 | 5ad7bd29c11dd28e723506124f9463ea0bcbc135e4a9569bcc1581e1b05ce13116b5f36df108e3c2e17aa6752ee676d80c29baaec93d65c0cff25e41807ca55a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2c680866191e41cd8ffd5274da671193 |
| SHA1 | d9d61473bcf551016bc5d53d252d0574da9e9000 |
| SHA256 | bbd753f1ac202c749cbf3830f1b3579a18ad1b2a3fc5d0005088c7a2fb6a3dd2 |
| SHA512 | 4c1afba3910b73d5c3c5a10d2a1776ca100e2b5549b3e09c0b158e73aa7539a9742edfcdef7eaad94922291d81d4b774f700de7fc1756bef628e554a84bbc6a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | e30738d93d6789672ce8e1c4bfe275a8 |
| SHA1 | ce2195ec1f2e3830b9a106a9dc8d7fa5397d10fc |
| SHA256 | 7d60046d1238ff11bdf616d83c212ad6866a7cc630ee9be8580050dee7f74832 |
| SHA512 | e39c9590f558477a1b823de555bf27542a725566d8bd839a1c493459444d49d755445d8ff34f59681ede12a8e654c5a7fc34b6008c9abcfd65d09f6b1b523a65 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f857614d988720fc329022cd1d853174 |
| SHA1 | 977c51d89a224a54e698f5c2401922712e60e392 |
| SHA256 | fb9c40badb12e3cfb61045c7645f48518cab518700552b4d944607a78670719e |
| SHA512 | cb2f02048e38c1d79ed933add07a01ef99e71a9ec710cc2d3c2a6e9a840aae6cdd6226173debe6209ee441235f69063f0fe702d5eaa26f181ce54ca73edf0680 |
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip
| MD5 | 7420a4094de8f85ed0e8d54bd169706a |
| SHA1 | e3b9dc5052b11c4b85e5ed738e03b28d629501ab |
| SHA256 | a124c6ec9cf80806f93f53e1642ce0d103eda8573989547e759c104a7adc6b46 |
| SHA512 | 559ae981dec35f611356e720f7bfc71a83070cf5467eb94cf1662af3473aab3fcdb4039ca5ebc0b55cc864070559de017709c9ebcd10c45a241654d13928b60c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 88de2fb63d4206477749f5267a619938 |
| SHA1 | 414d256d6a3c872ade35d46a0d99abba8484b520 |
| SHA256 | 398c5ef7f3536324af021761d8f9b88967b38be3f8fa30cf58ea70551640e483 |
| SHA512 | f9336cd91a78f9d93f4af2eedf0c83f57ae711cfd26854721b9a99bc46d0121f0112ec66c3a8c67b519669f724db7cf7e896d653e16d4c1caa214e4727a5814e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58029b.TMP
| MD5 | 07a2bd3ee7ee4d4b0657453738f01143 |
| SHA1 | 9da5251519ea345365877c04f28e925f5708c564 |
| SHA256 | 8d07a09396965cc231af5faed2f057842a68c5116fcecfdf7e60b9d2e6c2c30c |
| SHA512 | 9aec4206c60977986ff7aa78c2e46fd07bb54e279d739b61b222e6db00ce7ea8924dbcabedee218c185e7af6cb897ffe85053ede4ea6f8807cf98ae20a4f31d7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4858993618695a949086e34cc9513485 |
| SHA1 | d68dbc2a2a3b21e0d5125065cca28c2cfa7cb0b6 |
| SHA256 | 771d8f331a5dbcf8d957f13fb85aa4f8d6340abbd1a48fa7f29fe64b00d8b41e |
| SHA512 | 96182c7474f8ae441d090280917049fbc4b18af66d4420e39aff99871cd1ef1740f07b50574c797c194e7e20c0642f8663af690d77b48515ea3764b2184e788a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 9c86c13db22ffdb9c60338e740507c6a |
| SHA1 | 2eb29e2bad107dc2bd967ef777aaef77d5d53a38 |
| SHA256 | 05d502fe097ac253214eaaf8652fa3b6c5d0a3d4afb83786ddca176d10c0695b |
| SHA512 | f6f466184ccd7b6ab82499c19c4962f1c24e7bd9d9f32ca355f5b67edb7d44f6ae102d2baefe6e1439b3b77396a371e064ea4f15571244e3c0ccd8d81b20086c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bfedf7a990c614b1d6ba797edfec858f |
| SHA1 | 3ef3806424a7c468fbce915425e57bd3cd11a86b |
| SHA256 | 6f9cb6d4a636c4793f20d72653005e2e1b0b9d50094cb91193efb9e6dc52dd41 |
| SHA512 | 8178ae744cc05359a2d460311c64314d3a42730a1958264126e1c1891b343669797606ad303f73a332ee3dee67a1e33e8585222fb7e00a68ce42786fc540cbb0 |
memory/4032-407-0x000001DA0F620000-0x000001DA0F758000-memory.dmp
memory/4032-408-0x00007FF913B30000-0x00007FF9145F1000-memory.dmp
memory/4032-409-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp
memory/4032-410-0x000001DA0FB60000-0x000001DA0FB76000-memory.dmp
memory/4032-411-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp
memory/4032-412-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp
memory/4032-417-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp
memory/4032-420-0x00007FF913B30000-0x00007FF9145F1000-memory.dmp
memory/4032-439-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp
memory/4032-440-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | b6ef8d01093124240f580da4dbb5086a |
| SHA1 | af8e246b9d4b7c0baf60cb137c7d2776c2490a2a |
| SHA256 | 3cefead3e0321dfbe9cdc3088fbd8abfef1277ddd33be1fd8a0faba5b44d5a4c |
| SHA512 | 9d816f0fdf6113e94424a92a76fcc1b6dfa1923d7544d3febde8e107449238eefa14c71b663fe0d28d7db61777c07d5966de3f6a19e707184d5784d00641a062 |
memory/4032-450-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp
memory/4032-451-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp
memory/4032-453-0x000001DA2ECC0000-0x000001DA2EFEE000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12
| MD5 | 89162a296cde6d2a65d1635193f0be45 |
| SHA1 | 795f2e9ac3aa50648633b0e4321dda8f7ce340c0 |
| SHA256 | c873797c0f3f6f062b15b4202cc73e549d2afc37708eb740fc8f12d2a3936f33 |
| SHA512 | 2def3c712a1fc0974d7ce7b5335c94fce727708785c9b8e1ad0428b928515737c61b2c75d51a61eddab57fc8d4c3020ee728f2eb3f4fe21acb253686d28e8d3c |
memory/4032-479-0x000001DA2A6A0000-0x000001DA2A6B8000-memory.dmp
memory/4032-480-0x000001DA2A710000-0x000001DA2A760000-memory.dmp
memory/4032-481-0x000001DA2A820000-0x000001DA2A8D2000-memory.dmp
memory/4032-482-0x000001DA2A760000-0x000001DA2A7AC000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml
| MD5 | c82d7a10fc3d28db9ced285da845b675 |
| SHA1 | 6efc4ce5b173f2d21d9ea3db192ec80697b1d8dc |
| SHA256 | a15318198806ff22f5437996a15e1bc4db0cc19db1f096f4a6b81010efec7c6d |
| SHA512 | e2e42d1ef92ba2caf8b2a0fc32c6ea6784c4b0ea4e17812ceacf8d5612fba74dcdcdee582b5a8a16e25d5538c09ca1772344a038b0441b73837742e376cd9297 |
memory/4032-555-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp
memory/4032-556-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp
memory/4032-557-0x000001DA2EB90000-0x000001DA2EBEE000-memory.dmp
memory/4032-558-0x000001DA2C2B0000-0x000001DA2C2CA000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Profiles\Default.xml
| MD5 | 89e111942b5b2963d5df306e8fde1db0 |
| SHA1 | 5183193ded73ccaffbb0268899bcae9024f8fae4 |
| SHA256 | ad1e0ebd483c4e62b07e6a814e59f888246046e2a57cbfec5196754cc0f3e0d9 |
| SHA512 | 6ceeebd46423395068399649e115962e286b5f24f60ac689359df5e7a35797e5b07b75d1d71b468e6a4e6f53af5b127b0fbc0a4a0fc42fa8db0c7dd3871e2e47 |
memory/2712-619-0x00007FF913B30000-0x00007FF9145F1000-memory.dmp
memory/2712-620-0x0000023EA0840000-0x0000023EA0850000-memory.dmp
memory/2712-621-0x0000023EA0840000-0x0000023EA0850000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2037190880-819243489-950462038-1000\cf14ba5cbdcd2150f058a146d1c9f188_35514afb-ef24-48fa-8662-3709156a3dd3
| MD5 | 524e3d1096a630bcd1e7895034a19f00 |
| SHA1 | f4677c2040bd71ad928fc57a3204063e6ae01332 |
| SHA256 | c0a66345056e5540589cd0abe634246349b518ee79aa8cdf8dc411ee0c9cc242 |
| SHA512 | 2879b1451d49c9f4de704c9ac363e4c21dd2cf85053368f235b46e21418796ef4b81dc749ecd1c7e8960f18d4756ad6f190f69819eb09e377c4b38245f8779d0 |
memory/2712-629-0x00007FF913B30000-0x00007FF9145F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Quasar.exe.log
| MD5 | e07c3925c4e8b60a8ea6300a1437ef3a |
| SHA1 | 101e086eed0ac5cde21219343545f5042fb1cb12 |
| SHA256 | 98dd0707ee1844d0b0ad3f44d21c9bbfd1c135e18ea22061c9bc4e0e45736156 |
| SHA512 | 8ba1327624a4225082e608d9f7689796a5fdfaeb042f9870164436ff0022e94379e8b98774665e3ccc73d8cc1d3c510fbabd10f39b0f164c4fe3310570da5b8d |
memory/4032-633-0x00007FF913B30000-0x00007FF9145F1000-memory.dmp
memory/5984-634-0x00007FF914460000-0x00007FF914F21000-memory.dmp
memory/5984-635-0x00000268B6BE0000-0x00000268B6BF0000-memory.dmp
memory/5984-636-0x00000268B6BE0000-0x00000268B6BF0000-memory.dmp
memory/5984-641-0x00007FF914460000-0x00007FF914F21000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
| MD5 | d30b83058acbcdd7d9ee4eba0bef74c5 |
| SHA1 | 6fafd8d40d0da37aaa294d3781522838be1b8c1a |
| SHA256 | 27ef0c502a2fdc5e04d226ee931a55f50ae398af2b52560ffcd63f96a2bb80cf |
| SHA512 | 4ab647bd46f7fbfec4ca2f7608a574659992e7db94795333b90df4f2e3de9043c09dc30d6a2768981bb16728f46d2edebb658cd37b048a095b43260e9bd3c289 |
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
| MD5 | d971e0808c073882348af05d706eef77 |
| SHA1 | 0b4f84e016cdb2e3178229b2cbca88076fe89c63 |
| SHA256 | 4f484d6aee58371249f6da4bed0355898ceb6ce7f6b2b944bd0b51e91bff460d |
| SHA512 | 94f64a9ac40a9ccff1f2aaa1eddef3a7a6b6945be0256fea3714df13e16a9fdfaa42b39a43bc841e2169fdd43db7be124e0e4ebc403d346e9fcf67c0b9a91f8d |
memory/776-644-0x00007FF914460000-0x00007FF914F21000-memory.dmp
memory/776-645-0x0000000000C40000-0x0000000000F64000-memory.dmp
memory/776-646-0x000000001BD30000-0x000000001BD40000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 331d7cce7d22db9332047e99499137da |
| SHA1 | 9cab5e4ada8ed2ce87a5956042497b223b9ab468 |
| SHA256 | 7e1919518d0d3e0ea0f26f62879333bd88bb933a66473c8142d8f3a39fac600f |
| SHA512 | a8c7586b9a580f9f07a8a7c4b4dce99cdc17869ad23cf5594d5844a5aca1c390cbff58bd2a43fcdba83ce8e9055c3f544ba9474ec8f55d14b9e082356c447841 |
C:\Windows\system32\SubDir\Client.exe
| MD5 | 26cf4a99858e3d5a3f26952490b4444e |
| SHA1 | dded2c521d8fb1733829cf4767e39c3352b2393b |
| SHA256 | 50a78fb3e115a56ab3e604aa7ed0ede22c279f3a234068b571b611ad9a6bf839 |
| SHA512 | 736052798785670d4779a786a1cd7e8fb55d6348f4d6629c0497f95b6959019c3e878ce63b14ed9d4b6436a5f13d686dfc6c4147b1a08e109a93fa360b3f9332 |
memory/4244-653-0x00007FF914460000-0x00007FF914F21000-memory.dmp
memory/776-654-0x00007FF914460000-0x00007FF914F21000-memory.dmp
memory/4244-655-0x00000000027F0000-0x0000000002800000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
| MD5 | 602c27df6c369b2ec1fad3021420c5b7 |
| SHA1 | 5cd0e1426e194299df4d1377060e0b148213d0bc |
| SHA256 | ddc869ca514f497d89e629021f161abf069942bfd66fb6cbd05090267e93b518 |
| SHA512 | d3008af83b09374dbb3f652eee901a59def9399baea1e6db40ecab9f9f60c9494021ff33d6fc421f56ad4fe3c931fbe5d79842eff970922778f7d123e2107368 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/5416-658-0x00007FF914460000-0x00007FF914F21000-memory.dmp
memory/5416-659-0x000000001B660000-0x000000001B670000-memory.dmp
memory/5416-660-0x00007FF914460000-0x00007FF914F21000-memory.dmp
memory/4244-661-0x000000001C910000-0x000000001CE38000-memory.dmp
memory/4244-663-0x00007FF914460000-0x00007FF914F21000-memory.dmp
memory/4244-664-0x00000000027F0000-0x0000000002800000-memory.dmp
memory/2868-667-0x00007FF914460000-0x00007FF914F21000-memory.dmp
memory/2868-668-0x0000029EB84A0000-0x0000029EB84B0000-memory.dmp
memory/2868-669-0x0000029EB84A0000-0x0000029EB84B0000-memory.dmp
memory/2868-672-0x0000029EB84A0000-0x0000029EB84B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2037190880-819243489-950462038-1000\7458e761378f037c3876e5f758c99c96_35514afb-ef24-48fa-8662-3709156a3dd3
| MD5 | 46219c1fcf707aea671af71ca1192130 |
| SHA1 | 81b5beffde2d3b1cc026e52d195e44f369960cc9 |
| SHA256 | 1905919490282158abbfe54762d5e1bc7ab64edb03b4f75ecb541615151642dc |
| SHA512 | ec33d8f8ba87272cb432739824f3abc360d2be969d02d4cf6c4c46f7edfc7198a7d57c077f645c40592d34e966a5e553c159e7d5e4dc891159e001592d7e1ced |
memory/2868-675-0x00007FF914460000-0x00007FF914F21000-memory.dmp