Analysis
-
max time kernel
1171s -
max time network
1172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2024 07:42
Static task
static1
URLScan task
urlscan1
Errors
General
Malware Config
Extracted
quasar
1.4.1
Office04
10.127.1.209:4782
3d0778bd-7708-430b-bcdf-f98271c696ed
-
encryption_key
B131A0FFB69231C11E0A80BFBD156074D44EF453
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/4832-296-0x0000016ABC590000-0x0000016ABC6C8000-memory.dmp family_quasar behavioral1/memory/4832-297-0x0000016ABCAA0000-0x0000016ABCAB6000-memory.dmp family_quasar C:\Users\Admin\Desktop\Client-built.exe family_quasar behavioral1/memory/3232-611-0x00000000007A0000-0x0000000000AC4000-memory.dmp family_quasar -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 3 IoCs
Processes:
Client-built.exeClient.exeClient-built.exepid process 3232 Client-built.exe 4616 Client.exe 1572 Client-built.exe -
Loads dropped DLL 4 IoCs
Processes:
SystemSettingsAdminFlows.exepid process 1928 SystemSettingsAdminFlows.exe 1928 SystemSettingsAdminFlows.exe 1928 SystemSettingsAdminFlows.exe 1928 SystemSettingsAdminFlows.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exedescription ioc process File opened (read-only) \??\F: SystemSettingsAdminFlows.exe File opened (read-only) \??\F: SystemSettingsAdminFlows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 34 camo.githubusercontent.com 35 raw.githubusercontent.com 37 camo.githubusercontent.com 42 raw.githubusercontent.com 20 camo.githubusercontent.com -
Drops file in System32 directory 1 IoCs
Processes:
SystemSettingsAdminFlows.exedescription ioc process File opened for modification C:\Windows\system32\Recovery\ReAgent.xml SystemSettingsAdminFlows.exe -
Drops file in Windows directory 64 IoCs
Processes:
SystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exedescription ioc process File created C:\Windows\Logs\PBR\CBS\CBS.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\DISM\dism.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\DDACLSys.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\_s_3365.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\DISM SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\cbs_unattend.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\diagerr.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setupinfo SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\ResetSession.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\WinRE SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\unattend.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\WinRE\bootstat.dat SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.dev.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\DISM\dism.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_34CD.tmp SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\PushButtonReset.etl SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\PushButtonReset.etl SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setup.exe SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\Contents0.dir SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\_s_3365.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\SessionID.xml SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\INF\setupapi.setup.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\cbs.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\Contents1.dir SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\Contents1.dir SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setuperr.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setuperr.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\setupact.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\ResetSession.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\MoSetup\UpdateAgent.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\INF\setupapi.dev.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\INF\setupapi.offline.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\cbs_unattend.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\setupact.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Timestamp.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\ReAgent SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\cbs.log SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\_s_34CD.tmp SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\BCDCopy SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\CBS SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\diagerr.xml SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\setup.etl SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\_s_3616.tmp SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que SystemSettingsAdminFlows.exe File created C:\Windows\Logs\PBR\setuperr.log SystemSettingsAdminFlows.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1740 ipconfig.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126" LogonUI.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exeQuasar.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "5" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 7800310000000000025984631100557365727300640009000400efbe874f774804596b3d2e000000c70500000000010000000000000000003a000000000051291b0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000100000002000000ffffffff Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 84003100000000000459973d1100444f574e4c4f7e3100006c0009000400efbe025984630459973d2e00000088e10100000001000000000000000000420000000000476ca50044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Quasar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Quasar.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5068 schtasks.exe 2080 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 3636 explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 1364 msedge.exe 1364 msedge.exe 3800 msedge.exe 3800 msedge.exe 2488 identity_helper.exe 2488 identity_helper.exe 4220 msedge.exe 4220 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 4084 msedge.exe 4084 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Quasar.exeClient.exepid process 4832 Quasar.exe 4616 Client.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
Quasar.exeClient-built.exeClient.exeClient-built.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exedescription pid process Token: SeDebugPrivilege 4832 Quasar.exe Token: SeDebugPrivilege 3232 Client-built.exe Token: SeDebugPrivilege 4616 Client.exe Token: SeDebugPrivilege 1572 Client-built.exe Token: SeBackupPrivilege 1928 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 1928 SystemSettingsAdminFlows.exe Token: SeSystemEnvironmentPrivilege 1928 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 1928 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 1928 SystemSettingsAdminFlows.exe Token: SeSecurityPrivilege 1928 SystemSettingsAdminFlows.exe Token: SeTakeOwnershipPrivilege 1928 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 1928 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 1928 SystemSettingsAdminFlows.exe Token: SeSecurityPrivilege 1928 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 4404 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 4404 SystemSettingsAdminFlows.exe Token: SeSystemEnvironmentPrivilege 4404 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 4404 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 4404 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 4404 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 4404 SystemSettingsAdminFlows.exe Token: SeSecurityPrivilege 4404 SystemSettingsAdminFlows.exe Token: SeTakeOwnershipPrivilege 4404 SystemSettingsAdminFlows.exe Token: SeTakeOwnershipPrivilege 4404 SystemSettingsAdminFlows.exe Token: SeTakeOwnershipPrivilege 4404 SystemSettingsAdminFlows.exe Token: SeBackupPrivilege 4404 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 4404 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 4404 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 4404 SystemSettingsAdminFlows.exe Token: SeShutdownPrivilege 4404 SystemSettingsAdminFlows.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exeQuasar.exepid process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 4832 Quasar.exe 3800 msedge.exe 4832 Quasar.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exeQuasar.exepid process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 4832 Quasar.exe 4832 Quasar.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
explorer.exeQuasar.exeClient.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exeLogonUI.exepid process 3636 explorer.exe 3636 explorer.exe 4832 Quasar.exe 4832 Quasar.exe 4616 Client.exe 4832 Quasar.exe 4832 Quasar.exe 1928 SystemSettingsAdminFlows.exe 4404 SystemSettingsAdminFlows.exe 1504 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3800 wrote to memory of 2444 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 2444 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4428 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 1364 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 1364 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe PID 3800 wrote to memory of 4772 3800 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/quasar/Quasar1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb08a746f8,0x7ffb08a74708,0x7ffb08a747182⤵PID:2444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:4428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1364 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:82⤵PID:4772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:5092
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:82⤵PID:1016
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2488 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:1384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:3048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵PID:1776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:1496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5440 /prefetch:82⤵PID:4348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:4928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2856 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4220 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:668
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4596
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2396
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4832 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"2⤵PID:3704
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3636
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:1160
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:1740
-
C:\Users\Admin\Desktop\Client-built.exe"C:\Users\Admin\Desktop\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3232 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:5068 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4616 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Users\Admin\Desktop\Client-built.exe"C:\Users\Admin\Desktop\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1338eb32h7cf9h4555h9d6dhd547edced6ac1⤵PID:3296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb08a746f8,0x7ffb08a74708,0x7ffb08a747182⤵PID:2736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,5966113813541161557,7906858648738657788,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:22⤵PID:2192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,5966113813541161557,7906858648738657788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4084 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,5966113813541161557,7906858648738657788,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:82⤵PID:864
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2512
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1780
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4920
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4404
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2848
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2008
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3927055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1504
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273KB
MD56436c1e2fd21ec4fef4410167bb6ba5e
SHA11519316fa3b0bb01b0b05813f954bea9abcc8a03
SHA256597ef98660bb4be7c0f09e507fb5b394b334c49db9d67e46a162d58aefb6e022
SHA5122242e4a5c60ca467fd3fe64d097411d9452266d0253e565cba648916e3b173dd789fdc45d2be083d7b71fb4f9e997966655d9214f1813777302b038270522370
-
Filesize
88KB
MD5c230b6b003b3131c1972fa56aeb79fcf
SHA1083e36a67147b031f4ccb9e6d396529789977d85
SHA256013bec06baaa081e903fdb62a50abfce9e057955170b07edf3b92ec6c547887e
SHA512f75f4adf6d0a6a2410cf69da0574990437b6a18f9c8e93a9dcdb9d18121ddb553f10063dc0c30fa393ec990ba0db9c68e87c7c67a95478c87144483a9844f099
-
Filesize
2.6MB
MD569408426a6fe28cc42ec4e9746306316
SHA120cb0cda61fc86a7ee55fe29857f72d7238f11f0
SHA256891c5381840ab53bc2a493a7f7ed004d8fa2bfc4fa2bf64a9e1f561e2579268d
SHA5127d52243f584c3a34d434a7ae5fb85b5c9861fb965006961a13a27504c03f4635ce8d6a507986e80a8009b898d52008c0a70d65d4bc06034134362855dd178ca3
-
Filesize
719KB
MD529bda3453b0cba312463c84381f373c7
SHA1aca843cf1fc8607226a3fb32f6424ea1546eef30
SHA25615d29a06aecd840a42f3324e2951d28995f853c12f6164b60949d16aeab1824c
SHA5126f50d6a368eaa34021674b36938a2690bedb5008838af43029b441d2bbe2c531debfb9693a867371752e720239f03a540ff08a5cac67a51ce8eade1c435cd4b5
-
Filesize
110KB
MD577ee2f9d3eac2790fa22a8d9d14cf29a
SHA1803a334b59edb78615d38697f6f8a4e97a7b12c0
SHA256c382318698d96d44d1190673f04d3a099c2fdb75747606beb131e7f3f2aa3d10
SHA51202ec8c10d986617dd680d24166b8ccacda87dd03eaab278ebe80fbbc9c6f4c7a87cdf80824628eabb8d2c0971c2d55f9a2df1ddb24a04a40512d38cfb854e3c6
-
Filesize
749B
MD509efd6578f801457a55f8663fa8d09b2
SHA181dee466080d81484adca57dc2a0b6f18acb3a20
SHA25608130b319e06fb8ad9e27768e219942e725de81f3895ceb0c7b81fae2a54acdd
SHA512c053d1198448bb6df7978e8a3c5c7b65de7d79c4167c33b2631b8a717ce72c07b83a621288bf6318d39f65e3e1ecfb1f9132c6a43e54a68087316c1a62b2478e
-
Filesize
17KB
MD5a976339058116fcf346437d797c7eec1
SHA169a1dcf6a41bc750cacec3185c99839c079275bd
SHA2568ebf4096d28a78e8ab36e5084784acc90464eb4a74d972c942f147ea59e5134b
SHA51272bac6ea896d9b7f817ef5644adbdea80bc7f852be124f08487507a4507fb0c0aec167ec03b9dfb8c4ede7f0dbcbdc8343bd3c114eea62bb1b842160fce324a4
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
Filesize
152B
MD5174677ca5072735570c983bc1b4b9a65
SHA168efff4c84b32f794ac50fc1b59f315e7b5c5ca0
SHA256c55a7b95513a69964f9ace2f3db3df1da88e220ac9ccbdc7b050b70cf1ad0834
SHA512e2570b1efb85449f4ae12ce1867c437404d90193cb50e3820ee19f9c1aa234fc27b008ae05e324da13d9be985fdfbb2823a09c1c802e90444ffb71c3bb20d5b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\68907989-342b-4a98-87d1-a8516813779c.tmp
Filesize580B
MD5feb394813b1384e547c557a1bbda0210
SHA1e405e916c445867569ac8d8674312d4182cde006
SHA25631a3b0527dc567f289dd006914bbeab93ff77e3603f41d54297f0d7dabb42e1c
SHA5129323c3b09ac487c509ea1d1982d8b295c2dcf26729a377420f6323a0d813bd19dea54e5eb4b0168ea2da2b36d76b50d73def7668255fc1337da71f2f5487ef5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5f1322ffed9cc7abc3be3fc5189c4e02c
SHA1c14c26c4964da5dd3301f6e3afef06406753dd23
SHA256d6a09d7bfe543bd6d1932a74a8b5516be1409e2bc4e25ec51204287c2bedd3ab
SHA51261f8be47b29ffdcf1612d8cdcfca1bfaf95fe6bebca18b3360053ad96f5223462dfe68b786ba5742a19ecf3b2f779e9603816f4cce162a4a589d3e46aaeaf578
-
Filesize
20KB
MD59c1d6433c46676a24eb11560eee42452
SHA16212a0c82bb8bb1856737e215f857a503916e9f7
SHA256cb8b235ec62f55f02000ed6e279a71ee36e483a8a454f14cb9eda6934b4d9470
SHA5128a21dfb6acce7c36a451208e6be795a2c510213e4ebfeff75491238d11445cbed7b9fbae0b2825b565887edbac3895e4ed2610b914629f81ad61ef1b563e6329
-
Filesize
124KB
MD5fd9256d5a984f4a4c174d1edd57dca89
SHA192a67cb64e845308aad49b583e8c0b748c6a12d6
SHA25671b99603a64823d064421d16957424d52d395369aa48fe82f37cec796bb312a3
SHA5128087791ceafd17ea656fdc6327ea1925f66da216f2cb4a76ec3254b285d3eb97ad8517486d3306904cacee946b51aa077bf498cc0166828f03abef72e0e910cc
-
Filesize
580B
MD523a3063148f7bce8c648463ed5fedb7d
SHA122e6e98e0947f954982ab280f7a77f1d240cb682
SHA2560fba30c8186933174b2c395cb7aa254873cfc4d814fde1b4501ed2120fac7f7d
SHA512dc9a3e0d734c56032198cb3c25ab0dc903e24c6d2261f6aa17d408a4d6b91e1a5ab2c55f98210e9fb3c46c8d441b7ab8c7b9ec5f1b6e1b69d1657a2ac1079ddd
-
Filesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
Filesize
6KB
MD5f126701d56226f1c9a3f97779d207acd
SHA13d0421bc3902f41dac5be410b0048d2b2af33aca
SHA2567a6fc03e58dc94fb2591fcc5bb7851d4063d66a0fc0160de697cb906d96d69df
SHA512f6a263b918136c3209508b081cf58b6f632394d67c34310bdee6ac1df2d6ee3fc91132455208d4fdc86187d24432ae3cbb07a9e9ccec26185e8ef261bfb544c9
-
Filesize
6KB
MD5ce7e25801f253f669196183b28c675b8
SHA10ca97c5d01f94d953209d496af2c089b5e60af5a
SHA256751a087cdd898e07523a85bbe6cccc72de56901afa814188795c7a9c70bab28d
SHA5126fee1953b2a8ef418d8da3659267cf8b3e905c9ff4555a371366858390290d381610daa4a0654de338d933bffe2bc268e93cf2d42262d8f85555386ce440e81f
-
Filesize
7KB
MD502ac2de942e0765034a1e439dec8e081
SHA1f63f10cdd8a86cf49fb0eb919ff5e53aa6057860
SHA256a0ca738d905339c182d849e6fd166bfe12b489492391a6f965307d48fa14e090
SHA512d5c99b138305b89053398c5b67bba91ca4a2761e1ede60d596e67f84c054d65ee9d1fa0b3066e2be856da247195f3d69b51ccc836810692c15873e41d1fda5dd
-
Filesize
6KB
MD5f5dd606494ad735c89492c2d6bc47973
SHA1a1cf426d6a43476bf64cdec9b90deb9845995594
SHA256fa34fb688d94ce3d9dee7f8b001e61c4225ba40664b8d1439d7303a02cbe6e6d
SHA5122aea3f6749cca1b9bbb20391725af67a3b695dc588cc8a9ac73f7ad58840f25fe4e2f34fdb670896a4a416eaa86ad264c56aec5c177124f689a0d00696664bee
-
Filesize
6KB
MD5c5c4e2038dfc22fb6322b78c2bfbc7bf
SHA12a1c789198ad08c398a1a02991926c8a000cb466
SHA256c3dec648ecb66f142d5c776dcecf37d7721109b8bbba046e20ec69c8b45c8e59
SHA512031c915b3776b0f58d8c27d689f7ac91948bfc72b4d49b5c9f95bf40ec0b6c481f25a2d9dbfb41859a6aa7b6be9a46670273dc41e012613a8506e0963a50e03d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize112B
MD58b695313591c7438b2be4f2fdf243a46
SHA16ec7632f958e518b156b4277453a643ae6a03d3a
SHA25611eefc60df7e831756bcc5daa9b6a5d3736303d984e30c27bbf46c8d16b5195f
SHA512fb5567540f787e3cb1fe33248bb740b888411fe54e8c9f5697c87cc0960e8e1619ec1527466d05fef3cba08c5279b88fdb15eb8863b6a77357c78f7768fe6442
-
Filesize
347B
MD50f633d7f01c7d66663f3b9e241dc2309
SHA1414f9c83833857d788724f2228bb41984171ff92
SHA256c25b6eb116df6c8023a63e31e9974eada4320fdb062494d6ca55f5e33c6af91d
SHA5122db01e39811535d3d0c82f8a76be5bcf8f12e544fe5251360b80cf055f5e86b62746a67baf1b07662cc43e5cb4374fc1d063251cd05900911c401b45ab96838d
-
Filesize
323B
MD59be5544a90bc459bfcc598092cdf7eb3
SHA19f89f65786141ac8dd13bf2b32f7f79fb5d1aed6
SHA2561a161192ceb6dd3733419b845a17ad1cd1aa8a8198cda9b32669a9a7737bdc0d
SHA512f5c2ee0feac601c449299a96d19ac5b6716411260fa692120b92d2cae3bff54b66ced27ca01fc33af3a46cbe487f205ba948b81e8756e12e6dad9ef31cdaa4a5
-
Filesize
1KB
MD5d877629c179cd80bbac5ff71d58de502
SHA1bb7276ce5a6735636fbae2aba4bb653ca7b69103
SHA25626bd1a48cac4ca11607321280e360d77d90d3dc31f970640f4c7ec16c12bfe83
SHA512ca9ee9f24d8ef7576684e5475d82edd2597462f19cbdd5ac3871486f3079f16ae819392fcb9ba23ad343f49411a4b1019db9229229faa9634c1ab49e929446a5
-
Filesize
1KB
MD533afee3b1d53045400b8a78c26a12b60
SHA1b4d01e5e0230f100e392d4042163d92de2b83098
SHA2565be532af968d06c101dcad7b5064ab1d3b061fb1cf9e088d874a0cd9db4db8cd
SHA512eb26dbc14a72ea6e2b6faf0b5782fb465074ccfae361b87b8656d12d51c0f9673876a58d59914a46ce75e5127a9dee0241380e880606f14120a2fae315ada35d
-
Filesize
1KB
MD5b5b315881de4f0acb4bb40286de4f9e9
SHA16e0967dfb4a3919acc70aa1fd8cfa8b2beed8440
SHA256ad6d553bce7e392ce06ea74d7b24947f7abacd4d9ce7ae45f30d3cad691a615c
SHA5129f732a7d4a1916eac005ac7448a2a8c797d77546b5bd547483fe4300bf6d082572eb5177d8af501c008f07c930f27e0a823d72941295fce8d150e087507cf084
-
Filesize
128KB
MD58dab8aa8585ab99acc3f766b919a23db
SHA1a3e39aabf5a8313a3567ed1bac62d03da5ebd1f1
SHA25600a3d2dca669c1be4ca3094746e8a7734b64de107561eff011e8dc5c15ea91b1
SHA512d6baa2ebe90952c09bdcb82e87a09874abf2b1099726f7aeb2aa21a50c05254567466dc7e68eb110b097adb922cdf4cacf1d3d62a9bb2c318cac66ce9ed23abc
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
10KB
MD51cabdde96b5c96ae6c248a8e9d70daf0
SHA1d9a3da99a677d71864ed06d111c799562dfc087a
SHA256c5f160d35f94c1f6ffe051a3de7e083f9b0a31c14d9d47c5f72423cb108f1e30
SHA51262a286ce96527f876537e8be23cab6a9d44b4fcac1cfe5726f6be5eff83e71e52c477123b3436a6902067ece4889d9aaca4e2b8078c5cc8fecce65833d5e575c
-
Filesize
11KB
MD529687cc36ed46cb8f1c12ecf363eaf53
SHA1398468ae8f6606c973a2eccc478c726bfaf0371b
SHA256b8ec7641b64c6ddb3978acf5ea928188640a06ebf1a668805b56d271583e5116
SHA512ef79741233966709ee8a0d52daad86ab072c9e5a810b243fb23f8b0490b364a20d400b847c967127dc2370dc05022705b8b7c5f2067c718861f7f979b05ac286
-
Filesize
11KB
MD50607fc3e10c176c10a7e41bee935bcb8
SHA1bdef608a5ac402363e736ed001f9892ae2f65187
SHA2569b8c46871449717ecf4d21460a8e0322846fcf4595eaea28e528b169e4879e0b
SHA5128e3059fb044a9f6609eb69f5cfb1577d123a6e4f904d1928e09859ff227bc8393147ce18232594ba5609a150cf5587fae2f239a9f5e12b2f3bc10a353d6dcfa2
-
Filesize
264KB
MD59adfc712ca60ba42d375e0bdfae96685
SHA165d18f4b081384abe450ce6caa6cb07ddd49af5a
SHA2560589cb2345357d1a28e18225e45cf533d1d3a0c0bc82f81a8e1bd492bf3f5539
SHA5120645fb6190e71511eea77a2fcb69c290056b244c1c2798f3de7088773574ff60bbe07fa13adb7fc24f8a45455208f6b9cfe990972ab9fd1ae5e73e6e2ad8b2a1
-
Filesize
4B
MD53dfbb3cafa28956a504083259b00df86
SHA193f0e8c2f5fd77bf11c259d9c7e0487fd0e5c7a6
SHA25641f74efb97057eb5ba8b96fca994e63f27f1f5cc2a3da985be1d59175e9d0fc0
SHA512f7598599aa29138f5ee85f4cb62def345eca31d4038d042e218170b7edf1f904217df7c1f4fd39dbedc70b7dde3af4e4b85801c19edd5ff8419b2102740337d5
-
Filesize
352B
MD570efa17933ca4cf0406586b72919fd1d
SHA14d3b7b269aca8747044d0bf53d8447518111c9f6
SHA25605d71b66acb0fac15c5168ed76a1d80db256de5cb8f38727d09a853128ac3ff4
SHA5124701d3e8822f869a0a7669d61e1d96664dc7d567f96176c9a0b0c9067cc5c21890452dc7f242b0a8712d01e3879170280161c4fccba2b765943167068355a172
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2412658365-3084825385-3340777666-1000\5a9c4fbfa0752a8d057b8fa0c7db0f7a_dd06e985-ac7f-4567-b0c7-3752f03c29fc
Filesize3KB
MD53f67394c0e096325c7243310c09593d8
SHA17fa27bd2ec534764e8f32a0e69b0bec3e17eb7e0
SHA25692b6746998c595c1676aa850632210eeca3cd6db217f15d815e933a25c3f9027
SHA5127be00b805237566dc1b3ff296692a7560efae93d9304e5628ffedffccd8e4352349a517204444f66affed1e53a7fece09841be69fd8b6176d6f4c2777993c766
-
Filesize
3.1MB
MD5cccda4656c0a50bae7421b77bac92620
SHA12c233643f8681cc2fb52f54c364cf3a1772bcb53
SHA256e137c0cf65e0fc4ffb3fe9cdcb0a8281feb45165ace9505ee8b250f2506c0ef8
SHA5124bd2232ab50aaa0de7275fd087523896b5051b854802eee8c35f7ece0c835109bde884bf7f1b341a6158badee8e680f61e6d3577198db9b2fc06bc020fd3cd65
-
Filesize
3.3MB
MD513aa4bf4f5ed1ac503c69470b1ede5c1
SHA1c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA2564cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Clients\Admin@HVDPCYGS_872C1E3\Logs\2024-08-04.html
Filesize512B
MD5bc62de9d5127ece1d08aec11a96470d1
SHA153e92faf01aa88ee506c94cbaf1246f57ab1e8c6
SHA25612d029c3a7a7a9aefc54e4bf7e6b67b6844debe74654a286ef93ef98bf84f8bb
SHA5126af7f475bb464bcffc71317696e4fae11b397b5e15d03a2aa73a79fabc56c3fff78cc825bfcfe506d2d3060837e0b96b9e0fd6e4a1a134a4a235e19c65901d6c
-
Filesize
1020B
MD55b58471ac4e5bb2e94ed0434020b112a
SHA1be172639ae9372f147c5739ac025a4c0cc268f51
SHA256abe326a74fc76908fe3dc1a06996b1b4550866a8c7b84e2917bc849d41f97edc
SHA5125fb5f3e68c713a7334a33b4ab55f20510ba2e9ee0ac94074caf4361e4bf28f5705438f91259c91f05810de7fd608fd015493c887d1daf3eb1964cc095273c7e2
-
Filesize
4KB
MD5a194d77a59788335c0683606da4acdd2
SHA1735b11d8cbd266d5431c1d7c6757154f6335154c
SHA25623b9bc7fd76051043da05ba3391056ccc8072bb59397d4daa3b46374b6c8add6
SHA5128526aef0e8560862755a4059bd81c2137c2bc9d6f961ca7bad6af8571f31e39f9667773c10b64eac1967e0bad05971e7f1f989b20cb625e2dbabaeff3cfa039a
-
Filesize
157B
MD594bbb85b209841b1379708d39eb7702c
SHA1ac4391c9a6b99a04cb414eb55d727ac8ac86d2a0
SHA25667a8b474793537687a6c087ac9f6c0fc75b4ec43e2f33bff90e0d2a68c82dc45
SHA5128b8b0f4758a9c87d3aadbf8e76acc86405bbb8b003c138876765aef7e1d2120feaa0f68055b400a5c34ff294d20bbee1e8173b037daab225a3e1b04cf8a54554
-
Filesize
372B
MD5fca8b1c002395cf5d7ecf1a357f34319
SHA13795bf632d1a619814301b5226d958ce78a0ab12
SHA2560ac0e8ff8e7d2722ee870e3e227f844d16ee41250a16ba0b2d3e1537297bdc21
SHA5125d38019d282afd8b8da9d0acf0c2e622c3a889e0f7e457d08aeb6324192b7ab904ad133c6336fc24555a00c9654a8d9d21fa7211299d01b4aaad028a5739483a
-
Filesize
9KB
MD53f13d75af0ee3cfcda4f82d98719f06f
SHA19ffe54bf0f0dd28bb295d76c27c7caa548f39a68
SHA2567f1ab4990396dab6c70ca58da8f103b15deda89096c884fa62c499403187554f
SHA51281d60c33ac31f30f50e644f0c6bbd53bb89591971201d52f130e08586c2a961637048aa13ae08ffddd495b0eeeec7cc98f25a1db3db6de48ae50533e1f8a6fe1
-
Filesize
106B
MD53105d96cd9f198ca8986f4255789a09f
SHA15247bfce652665d6831f392de47c873953618ec2
SHA256732d935d25d2db004c1e77ebc3040325562175ee6d76399057ca81f856c15815
SHA5129098f665e199174a70d4c298354498d70caa32b1ecc26aa0458beadd0dfba12a20bd4c92db5bb5bfeea2f56a2234a69a3c264aa7cc114e122c5579518caaba93
-
Filesize
42B
MD575720c403d57d188db40183385219803
SHA191aca8d220ac46a788a7478a50511f9da79847f6
SHA256c2464f286ab6b8b534385064f0f4d770ffe040be4f1b5c3be340a4a511238b70
SHA51247fcb2e3f02190cfee808ba6dc4d4057946076725a2e1172c4b9ab70f7ca91b7de2126047ac20491c3cf1f73971f55c9fa91117ab4fac107041af9dc3102c482
-
Filesize
66KB
MD53c08dea20e350ea34f7309e856576428
SHA1d7a048ccc07b4d16afc4d778d5601a067fb151b9
SHA256b7bbc3f2463000f52eadcce2e262512dc79bbbb3355c62c734f18db57e0fba82
SHA5121c1cdd554cbf98dcb7358808cfa2682bd09a596e24a3708ab73e379e5f8ae7dc394b8e88824589327e2f67487ca19dacba9e3288993e2e92463dc32aaef67f9d
-
Filesize
9KB
MD52ff3cb48098a371025bd35627e0ad18b
SHA145e73c16d3718ed33fa11987f23d7621102a96eb
SHA256f5a7335d27c89072fc657286b1eb4203ef39fabfb40ae3e17150fc42f21346c7
SHA512de30b7f190b9cb2d78843f29c3cc8460c47d81d9dae78acba1133cc1e42d6f52eb6c4291b161abb1429f48a88da96cee4e55938397f10e181464d59439ef44c4
-
Filesize
12KB
MD5f46ca122746cf66a7735a71ffa145f62
SHA10b190aae384f53bee055a789dbd868c60f246501
SHA256eeab26bc6d25c9d40664fd63dd438a46439314bec5d460d1319411448e6e8dbb
SHA5129d639570547e2c9e030eccf6b0556a5bd2ddccd0597d74c90002b7648bdd4c5a42126575a23c5b667c971874ab9e89b4f27dfd83d781c8ace517f4b9f50b2070
-
Filesize
1KB
MD5606bb04b79c722de9b08833316da196b
SHA10b2721425831ceb6a660f44452d009d4e1959388
SHA2564d2b43d964d53c7c65c36ed9d638aa5c272e54c9f861344c3eb38ad4ee64a512
SHA512f062c5c907431a7006c3a172596967ce7895bd8f11de7b42549f6e979930a661cfd2604296533cc257796e69cecf7d2e62e761e328904a10a1ef1efb56a384bd
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\90ae2b83-04c3-4ea5-8685-fd898ec76d91.AggregatedMetadata.cab
Filesize1.7MB
MD5ac8304d9dd93aa844e6a80ceec3bfcf6
SHA125d8a0e335aea196d69a21c4b64fef31a2ecb49b
SHA256e5a3fbb00d6ec175f3912cbf333614034d088ee665cf276b8631b309714f96a6
SHA512b415bb722ed5f6db287c8beca06ad6c4a9006c1a815b224b14ae55b85fe3f0e1b72db355ec7969eba9fc7d12cc3df84746dd81f6a478f9984e0d2ac7b85f8c63
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_ar-sa.CompDB.xml.cab
Filesize16KB
MD54c23e3473262f08834b8841ae2a52ba2
SHA15db8dba4f97e55361fc24c1b1694e9571f161183
SHA256fe95f47d1f5227829fd03b05c896e757cae92ef7e5bf53ac89b8bfec16eac042
SHA512f9aa2703fff27df1198ff4e20cd7f692e90a09b8a664d10fcd77fd979d7545282aa1379e3e3144effa3b71170238215eb1f2389c8ad488a67ce48ada357d62d3
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_bg-bg.CompDB.xml.cab
Filesize17KB
MD56583f80c152b3144a5cdecc99795214b
SHA1df52ee426687262b5548d3c724b4f53ef6604839
SHA25603b31d9afa1c55d3d5452bb9c69b6688d276e58221b8eda8469144aa019eb579
SHA512da8c3fafb716e5b3f7e339fa59992b73463f6695571cba1711d402c58e14d1734ba26da7d1e2cc55d664d5469870f14f65652fb5ce492985fc5b2577602d3da1
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_ca-es.CompDB.xml.cab
Filesize9KB
MD5ec32e5f5fbae4cea7d8eac9ec2c4da3d
SHA16203503e8f1f710973118dfacefa1973268f4970
SHA2564cdadd73a1bef82f578c9da785339572561c649c9bdf0cc80134aef326644461
SHA51290b01b8d8d2cefa9e2c765ecbc1f4d44e088c9bf4f670236b7b80334593e04c414fe389aaf9f8601402d68c964f5e1a862e9da0ca32ce9af23fc19a22bcbd6dc
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_cs-cz.CompDB.xml.cab
Filesize16KB
MD5c8b7dbad3b2d31c56fc6c35047988bc1
SHA1b0817adf413d287fc929c5e2df1cacc3455ced43
SHA256e8ce236f1a9706fceb6db46d1e89f7ee1134550c0fa767cec46acf788a1adbb7
SHA512e09cb1213560e885f1fa9adfb0578c1e5ac2bf5b3a663242d19ad6f8125f631d23b512af03346cfbb716f91c6570cd39a65694720cac6504b3bb9c40ccb80940
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_da-dk.CompDB.xml.cab
Filesize16KB
MD524436a3af469e98c90cefa37409584d6
SHA11b1df7cb3b15a31721ad014faceacd977b0a4567
SHA2567ce7e1e864e84dfc5eace134a236e9312a7deb9c3f8413a43580f86a8f15019f
SHA512b14ec01a13944d3be427059b37de3ff70f9e256aa4220da76dcb77d97e84208970cbac1ff28ed635da684e6be5560ea62d13f40a86b252b6a3a301037d4783ed
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_de-de.CompDB.xml.cab
Filesize16KB
MD57e21b40a21b06403e9612cc73d46228b
SHA12ca64382163556ccdb02f5123faebdc4daf22c09
SHA256051097420c09aa3d7348dda0872092ccd9118043ae20e56725e42b73c3dfd42d
SHA51233074c263febb4a07c7a01379ee46a52860f42f3926ede3c320cdc7e015906616501f9b1c28be4816201a102267867250154b72877d80bbddf4ba68cdb79beec
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_el-gr.CompDB.xml.cab
Filesize17KB
MD5b3a1893721c1a2c7032efbf366f44f74
SHA11745fabbe0e5497eb60e822f6b1a9cb7b05cef08
SHA2562bb68feddf18ef7692b9dddcdcf650632712e478a7e58cf226f4a1343899f9bc
SHA51254321d96f2c961013d39b50a0317f2bfe39a8d64a679b6aa70a28f61e82d8c53f3dd9d2239129b43ab107317c850c30754dfd9749a75c5315ae3495f29358d48
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_en-gb.CompDB.xml.cab
Filesize16KB
MD5cfa403ca31e03930ef86106747141e38
SHA1a433317ec46c65d5ecf60862bf1b53cbd93a2bd2
SHA256f59acd90823da247b61605a22eb73f90ce4dfc31664398495e89e634dd519d31
SHA512b09c1cb61e65bd1076696b08f9af8fa071b539f32e771fe631a28ab19520013b329498b52373532dc01abfa9d1582971ef858e9ed5e1b1f204466f45a1e2205e
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_en-us.CompDB.xml.cab
Filesize16KB
MD5a83112f73700b04f7e2269d5035ed7d7
SHA1abfad299ed2275cb7318843ccb55f8107afe08e3
SHA2567ff228a96ed33e47464dd7cd21338727b00d71318d23877d3670a0d0ce4bfb94
SHA51217d5fceb18533e29a8ee23d282223afa75ba51f45e0197a96256671216015e1a6c35b085d338a1bdf2303f63e3f68827b37bcaa27f63fedeee6256cfcfad45f9
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_es-es.CompDB.xml.cab
Filesize16KB
MD5a1ca8e6d8c9b3852f4a67dc892422f36
SHA1ba7b2017d6fbfaa38e1d9c0a7b9a849df9139869
SHA2567c50b8420c8b0cdd48457a03fca407b940841a47c7a09762ee44b9dc1b6a8370
SHA5127dc3bd971f9bbb5bf055c229191409323289a10236762751aabf2a375c85209ce517bf78531f3914ddaf4258158ea0f7c4e2585a611d4c9f09aebd8fc31030b5
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_es-mx.CompDB.xml.cab
Filesize17KB
MD5c310d1bf613219c29ef7325d5d7c3f34
SHA193ef60383ded86ad5bca2060c6854c1b6c7a8e04
SHA256a0d8284f08bf728e4a19bf14b0f51068d1fcecf5cc277a2835af9b3f5221d6a1
SHA5128083605ace9a462a4bdc8ab156e3d82ee744c9d6420886ee0bac5f3911ab81c5499195443d4ec7a3e5cb55099fc57daa2518dc7475668ab0a05c0a349e810888
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_et-ee.CompDB.xml.cab
Filesize17KB
MD5b75b777b8743bd509bdf9f59825823c1
SHA18a474eb7b01206ba88aae87b287dba96a44e2e47
SHA256d7099d9a6757b428e82b8100ce2cbee77d4c359ff2b2d27831a155e9cc9442e5
SHA51231ab7a4f2630dd84121b0ba10fb6b7ef1db2f5dcc4b9d098680c0b018b086b16c322fa2561856a1a6771cc19891faf808f682e8b8c38466f038a1dddce70e559
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_fi-fi.CompDB.xml.cab
Filesize17KB
MD587f71a1fc29e28a2e138d49bc82a43f3
SHA114f2a3a85162e2e7932c69a95e4ca2b0057ffe69
SHA2560c95f3c316cf74e4b46f1d1a43f718ea47b4c15ecdfc273042f660c98bdc254e
SHA512183e2adfa9afa4fbec28968af5e09e207fa3403d15f54c2d666ca348299eb57c4ccda36bb5a6e70d6f0b7ed44f2df160b997439144b3fb5143a782ab275e22ed
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_fr-ca.CompDB.xml.cab
Filesize16KB
MD524e6f04053bd7568e7e50dea7ee6af68
SHA14bc3e0a58cda673114ae3283ce7a6437e7660edb
SHA25642351f8d85d1f8789a337ecfd85b254e65a767232e89878ba3182aaf68a47e6f
SHA5122fea27f7db72b7c999c9b6fae7ab51802f1182bd731d9acefb2891e8fe18b5013b2e399c77176e49ac9f27bff542812736dd97e6cc06bf477596620f5c604b46
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_fr-fr.CompDB.xml.cab
Filesize17KB
MD5a96f4f0f0efa9624343d69edc823d9b4
SHA1769e10d7e4216f2a9e541bfcac274ab059667e68
SHA256cddc265162029f301e3a31506bce636509d2597223c77d410e989d36bc43f13e
SHA5123ce79218ed71766a8424dffe8bc2ff0842dbefd3bae5e00a20cd569e17c91cbdf7f1d5a9e1e47eeef297c3aa51ab6e5b2962087af57b3f0f43c2f22b6247717e
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_he-il.CompDB.xml.cab
Filesize16KB
MD5fd0f365ab0ddda136be2daa79bc3156e
SHA19cc250659501d2c23003a2747c306e9bab9f8d60
SHA256e9ee8268809809295b887349740bc8b10b605b2f0cf361233cb7e3f3c6f787ed
SHA512e031f3f16b9ad482eb49f0d5284946c05565d10c715d324843f087e5c5a65d57b7cbfb840cae80310277d732b3906e2f51ef71e75595cf4647d7bf4b89fbe8a0
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_hr-hr.CompDB.xml.cab
Filesize16KB
MD557afb1327ae97a65ab58954a7c7cce38
SHA178d1b656c2bcaac6bac4c74cec514a00a2edfea8
SHA256b29b72158bb09c4cf61cd1af7849cd6a4ae092e39e5c536579b0779a6e2d3fed
SHA512895b62e1fbad905020cd1685a4bd7487d4a1a08e9ab7997b005bd39c5c5a0dbbdc5524a31fa8ef01b848a1658150c3e2f1f9851b08ddf7ce1d02b11a73c95126
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_hu-hu.CompDB.xml.cab
Filesize17KB
MD58d5bee317aeeaefb302014758fed0612
SHA13e5d3d0ad2c713a6dc9db2c978fd5d33ccf6d83a
SHA256be09db63d9d58b87b6750ab2369616fb3f228a9f6f32ef1bdecf2ff77ed2a2c7
SHA512842247c402cd268eb51c0747bf9885f4579ecd79f4efcb03635eb58c0ee09415e0521747d91937859eb8657d8394b7cac7b0248c3b0324cfa7d547494a9bf86c
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_id-id.CompDB.xml.cab
Filesize9KB
MD5fa21745dee956210ca2f09b802108379
SHA10d6ca47c794f14cc8907edd04fcc4709a5813e31
SHA256de05b252d420b8e8f28471bb39115dde9005d392eda4c09a5c557dd98db84107
SHA5128373819f4873e734c134939452605d2102d0f1c083a63e581be88577d6b92681f17d49ba36fa8024b8f91265fe331b0c854e584fa9c95ce8e064e4b30508b662
-
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_it-it.CompDB.xml.cab
Filesize16KB
MD51f89fac27015649908857f4ae63de59c
SHA1bc3bc4b15eea2321156ff4818686fa4c008296d6
SHA25674497495d7a5ffc28ecad6596c03702abd0758a068f0c6d3017e31d2655fad13
SHA5128553cf9c770d291af59aeed0890dda5e891ca622cabdfe1249b98968086d6442db03b15184f1e34d590514e71a1e78620ae8f6f6d0e889609c9659d1f112fd04
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e