Malware Analysis Report

2024-10-23 21:24

Sample ID 240804-jjxxdavalg
Target https://github.com/quasar/Quasar
Tags
quasar office04 credential_access discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/quasar/Quasar was found to be: Known bad.

Malicious Activity Summary

quasar office04 credential_access discovery spyware stealer trojan

Quasar RAT

Quasar payload

Credentials from Password Stores: Credentials from Web Browsers

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Windows directory

Browser Information Discovery

Gathers network information

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Modifies registry class

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 07:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 07:42

Reported

2024-08-04 08:02

Platform

win10v2004-20240802-en

Max time kernel

1171s

Max time network

1172s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/quasar/Quasar

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client-built.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\SystemSettingsAdminFlows.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A camo.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Recovery\ReAgent.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\PBR\CBS\CBS.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\DISM\dism.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\DDACLSys.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\BCDCopy C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\_s_3365.tmp C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\DISM C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\cbs_unattend.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\diagerr.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\setupinfo C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\ResetSession.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\WinRE C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\unattend.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\WinRE\bootstat.dat C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\INF\setupapi.dev.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\DISM\dism.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\_s_34CD.tmp C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\PushButtonReset.etl C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\PushButtonReset.etl C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\setup.exe C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\Contents0.dir C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\_s_3365.tmp C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\setupact.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\SessionID.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\INF\setupapi.setup.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\cbs.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\Contents1.dir C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\Contents1.dir C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\setuperr.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\setuperr.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\setupact.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\ResetSession.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\MoSetup\UpdateAgent.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\INF\setupapi.dev.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\INF\setupapi.offline.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\cbs_unattend.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\setupact.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Timestamp.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\ReAgent C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\cbs.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\_s_34CD.tmp C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\BCDCopy C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\CBS C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\diagerr.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\setup.etl C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\_s_3616.tmp C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\setuperr.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A

Browser Information Discovery

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "5" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 7800310000000000025984631100557365727300640009000400efbe874f774804596b3d2e000000c70500000000010000000000000000003a000000000051291b0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000100000002000000ffffffff C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 84003100000000000459973d1100444f574e4c4f7e3100006c0009000400efbe025984630459973d2e00000088e10100000001000000000000000000420000000000476ca50044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Client-built.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A
N/A N/A C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3800 wrote to memory of 2444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 2444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/quasar/Quasar

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb08a746f8,0x7ffb08a74708,0x7ffb08a74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5440 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2856 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe

"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\ipconfig.exe

ipconfig

C:\Users\Admin\Desktop\Client-built.exe

"C:\Users\Admin\Desktop\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\Desktop\Client-built.exe

"C:\Users\Admin\Desktop\Client-built.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1338eb32h7cf9h4555h9d6dhd547edced6ac

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb08a746f8,0x7ffb08a74708,0x7ffb08a74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,5966113813541161557,7906858648738657788,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,5966113813541161557,7906858648738657788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,5966113813541161557,7906858648738657788,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3927055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 185.199.110.133:443 camo.githubusercontent.com tcp
US 185.199.110.133:443 camo.githubusercontent.com tcp
US 185.199.110.133:443 camo.githubusercontent.com tcp
US 185.199.110.133:443 camo.githubusercontent.com tcp
US 185.199.110.133:443 camo.githubusercontent.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 185.199.111.133:443 camo.githubusercontent.com tcp
US 185.199.111.133:443 camo.githubusercontent.com tcp
US 185.199.111.133:443 camo.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.114.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
N/A 10.127.1.209:4782 tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 23.62.195.195:443 cxcs.microsoft.net tcp
GB 184.28.176.90:443 www.bing.com tcp
US 8.8.8.8:53 90.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 195.195.62.23.in-addr.arpa udp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
US 8.8.8.8:53 fe3.delivery.mp.microsoft.com udp
N/A 10.127.1.209:4782 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp
N/A 10.127.1.209:4782 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2783c40400a8912a79cfd383da731086
SHA1 001a131fe399c30973089e18358818090ca81789
SHA256 331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512 b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

\??\pipe\LOCAL\crashpad_3800_NUBMNOXIGZSGTMDR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ff63763eedb406987ced076e36ec9acf
SHA1 16365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA256 8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512 ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f126701d56226f1c9a3f97779d207acd
SHA1 3d0421bc3902f41dac5be410b0048d2b2af33aca
SHA256 7a6fc03e58dc94fb2591fcc5bb7851d4063d66a0fc0160de697cb906d96d69df
SHA512 f6a263b918136c3209508b081cf58b6f632394d67c34310bdee6ac1df2d6ee3fc91132455208d4fdc86187d24432ae3cbb07a9e9ccec26185e8ef261bfb544c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1cabdde96b5c96ae6c248a8e9d70daf0
SHA1 d9a3da99a677d71864ed06d111c799562dfc087a
SHA256 c5f160d35f94c1f6ffe051a3de7e083f9b0a31c14d9d47c5f72423cb108f1e30
SHA512 62a286ce96527f876537e8be23cab6a9d44b4fcac1cfe5726f6be5eff83e71e52c477123b3436a6902067ece4889d9aaca4e2b8078c5cc8fecce65833d5e575c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f5dd606494ad735c89492c2d6bc47973
SHA1 a1cf426d6a43476bf64cdec9b90deb9845995594
SHA256 fa34fb688d94ce3d9dee7f8b001e61c4225ba40664b8d1439d7303a02cbe6e6d
SHA512 2aea3f6749cca1b9bbb20391725af67a3b695dc588cc8a9ac73f7ad58840f25fe4e2f34fdb670896a4a416eaa86ad264c56aec5c177124f689a0d00696664bee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f1322ffed9cc7abc3be3fc5189c4e02c
SHA1 c14c26c4964da5dd3301f6e3afef06406753dd23
SHA256 d6a09d7bfe543bd6d1932a74a8b5516be1409e2bc4e25ec51204287c2bedd3ab
SHA512 61f8be47b29ffdcf1612d8cdcfca1bfaf95fe6bebca18b3360053ad96f5223462dfe68b786ba5742a19ecf3b2f779e9603816f4cce162a4a589d3e46aaeaf578

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c5c4e2038dfc22fb6322b78c2bfbc7bf
SHA1 2a1c789198ad08c398a1a02991926c8a000cb466
SHA256 c3dec648ecb66f142d5c776dcecf37d7721109b8bbba046e20ec69c8b45c8e59
SHA512 031c915b3776b0f58d8c27d689f7ac91948bfc72b4d49b5c9f95bf40ec0b6c481f25a2d9dbfb41859a6aa7b6be9a46670273dc41e012613a8506e0963a50e03d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58410b.TMP

MD5 b5b315881de4f0acb4bb40286de4f9e9
SHA1 6e0967dfb4a3919acc70aa1fd8cfa8b2beed8440
SHA256 ad6d553bce7e392ce06ea74d7b24947f7abacd4d9ce7ae45f30d3cad691a615c
SHA512 9f732a7d4a1916eac005ac7448a2a8c797d77546b5bd547483fe4300bf6d082572eb5177d8af501c008f07c930f27e0a823d72941295fce8d150e087507cf084

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 33afee3b1d53045400b8a78c26a12b60
SHA1 b4d01e5e0230f100e392d4042163d92de2b83098
SHA256 5be532af968d06c101dcad7b5064ab1d3b061fb1cf9e088d874a0cd9db4db8cd
SHA512 eb26dbc14a72ea6e2b6faf0b5782fb465074ccfae361b87b8656d12d51c0f9673876a58d59914a46ce75e5127a9dee0241380e880606f14120a2fae315ada35d

C:\Users\Admin\Downloads\Quasar.v1.4.1.zip

MD5 13aa4bf4f5ed1ac503c69470b1ede5c1
SHA1 c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA256 4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512 767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ce7e25801f253f669196183b28c675b8
SHA1 0ca97c5d01f94d953209d496af2c089b5e60af5a
SHA256 751a087cdd898e07523a85bbe6cccc72de56901afa814188795c7a9c70bab28d
SHA512 6fee1953b2a8ef418d8da3659267cf8b3e905c9ff4555a371366858390290d381610daa4a0654de338d933bffe2bc268e93cf2d42262d8f85555386ce440e81f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\68907989-342b-4a98-87d1-a8516813779c.tmp

MD5 feb394813b1384e547c557a1bbda0210
SHA1 e405e916c445867569ac8d8674312d4182cde006
SHA256 31a3b0527dc567f289dd006914bbeab93ff77e3603f41d54297f0d7dabb42e1c
SHA512 9323c3b09ac487c509ea1d1982d8b295c2dcf26729a377420f6323a0d813bd19dea54e5eb4b0168ea2da2b36d76b50d73def7668255fc1337da71f2f5487ef5a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d877629c179cd80bbac5ff71d58de502
SHA1 bb7276ce5a6735636fbae2aba4bb653ca7b69103
SHA256 26bd1a48cac4ca11607321280e360d77d90d3dc31f970640f4c7ec16c12bfe83
SHA512 ca9ee9f24d8ef7576684e5475d82edd2597462f19cbdd5ac3871486f3079f16ae819392fcb9ba23ad343f49411a4b1019db9229229faa9634c1ab49e929446a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 29687cc36ed46cb8f1c12ecf363eaf53
SHA1 398468ae8f6606c973a2eccc478c726bfaf0371b
SHA256 b8ec7641b64c6ddb3978acf5ea928188640a06ebf1a668805b56d271583e5116
SHA512 ef79741233966709ee8a0d52daad86ab072c9e5a810b243fb23f8b0490b364a20d400b847c967127dc2370dc05022705b8b7c5f2067c718861f7f979b05ac286

memory/4832-296-0x0000016ABC590000-0x0000016ABC6C8000-memory.dmp

memory/4832-297-0x0000016ABCAA0000-0x0000016ABCAB6000-memory.dmp

memory/4832-300-0x0000016AD9E30000-0x0000016ADA15E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0607fc3e10c176c10a7e41bee935bcb8
SHA1 bdef608a5ac402363e736ed001f9892ae2f65187
SHA256 9b8c46871449717ecf4d21460a8e0322846fcf4595eaea28e528b169e4879e0b
SHA512 8e3059fb044a9f6609eb69f5cfb1577d123a6e4f904d1928e09859ff227bc8393147ce18232594ba5609a150cf5587fae2f239a9f5e12b2f3bc10a353d6dcfa2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 02ac2de942e0765034a1e439dec8e081
SHA1 f63f10cdd8a86cf49fb0eb919ff5e53aa6057860
SHA256 a0ca738d905339c182d849e6fd166bfe12b489492391a6f965307d48fa14e090
SHA512 d5c99b138305b89053398c5b67bba91ca4a2761e1ede60d596e67f84c054d65ee9d1fa0b3066e2be856da247195f3d69b51ccc836810692c15873e41d1fda5dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 23a3063148f7bce8c648463ed5fedb7d
SHA1 22e6e98e0947f954982ab280f7a77f1d240cb682
SHA256 0fba30c8186933174b2c395cb7aa254873cfc4d814fde1b4501ed2120fac7f7d
SHA512 dc9a3e0d734c56032198cb3c25ab0dc903e24c6d2261f6aa17d408a4d6b91e1a5ab2c55f98210e9fb3c46c8d441b7ab8c7b9ec5f1b6e1b69d1657a2ac1079ddd

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12

MD5 a194d77a59788335c0683606da4acdd2
SHA1 735b11d8cbd266d5431c1d7c6757154f6335154c
SHA256 23b9bc7fd76051043da05ba3391056ccc8072bb59397d4daa3b46374b6c8add6
SHA512 8526aef0e8560862755a4059bd81c2137c2bc9d6f961ca7bad6af8571f31e39f9667773c10b64eac1967e0bad05971e7f1f989b20cb625e2dbabaeff3cfa039a

memory/4832-449-0x0000016AD8FF0000-0x0000016AD9008000-memory.dmp

memory/4832-450-0x0000016AD9270000-0x0000016AD92C0000-memory.dmp

memory/4832-451-0x0000016AD9BD0000-0x0000016AD9C82000-memory.dmp

memory/4832-452-0x0000016AD9B10000-0x0000016AD9B5C000-memory.dmp

memory/4832-454-0x0000016ADCE90000-0x0000016ADCEAA000-memory.dmp

memory/4832-453-0x0000016ADD350000-0x0000016ADD3AE000-memory.dmp

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Profiles\Default.xml

MD5 5b58471ac4e5bb2e94ed0434020b112a
SHA1 be172639ae9372f147c5739ac025a4c0cc268f51
SHA256 abe326a74fc76908fe3dc1a06996b1b4550866a8c7b84e2917bc849d41f97edc
SHA512 5fb5f3e68c713a7334a33b4ab55f20510ba2e9ee0ac94074caf4361e4bf28f5705438f91259c91f05810de7fd608fd015493c887d1daf3eb1964cc095273c7e2

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml

MD5 94bbb85b209841b1379708d39eb7702c
SHA1 ac4391c9a6b99a04cb414eb55d727ac8ac86d2a0
SHA256 67a8b474793537687a6c087ac9f6c0fc75b4ec43e2f33bff90e0d2a68c82dc45
SHA512 8b8b0f4758a9c87d3aadbf8e76acc86405bbb8b003c138876765aef7e1d2120feaa0f68055b400a5c34ff294d20bbee1e8173b037daab225a3e1b04cf8a54554

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml

MD5 fca8b1c002395cf5d7ecf1a357f34319
SHA1 3795bf632d1a619814301b5226d958ce78a0ab12
SHA256 0ac0e8ff8e7d2722ee870e3e227f844d16ee41250a16ba0b2d3e1537297bdc21
SHA512 5d38019d282afd8b8da9d0acf0c2e622c3a889e0f7e457d08aeb6324192b7ab904ad133c6336fc24555a00c9654a8d9d21fa7211299d01b4aaad028a5739483a

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2412658365-3084825385-3340777666-1000\5a9c4fbfa0752a8d057b8fa0c7db0f7a_dd06e985-ac7f-4567-b0c7-3752f03c29fc

MD5 3f67394c0e096325c7243310c09593d8
SHA1 7fa27bd2ec534764e8f32a0e69b0bec3e17eb7e0
SHA256 92b6746998c595c1676aa850632210eeca3cd6db217f15d815e933a25c3f9027
SHA512 7be00b805237566dc1b3ff296692a7560efae93d9304e5628ffedffccd8e4352349a517204444f66affed1e53a7fece09841be69fd8b6176d6f4c2777993c766

C:\Users\Admin\Desktop\Client-built.exe

MD5 cccda4656c0a50bae7421b77bac92620
SHA1 2c233643f8681cc2fb52f54c364cf3a1772bcb53
SHA256 e137c0cf65e0fc4ffb3fe9cdcb0a8281feb45165ace9505ee8b250f2506c0ef8
SHA512 4bd2232ab50aaa0de7275fd087523896b5051b854802eee8c35f7ece0c835109bde884bf7f1b341a6158badee8e680f61e6d3577198db9b2fc06bc020fd3cd65

memory/3232-611-0x00000000007A0000-0x0000000000AC4000-memory.dmp

memory/4616-618-0x000000001C520000-0x000000001C532000-memory.dmp

memory/4616-619-0x000000001C580000-0x000000001C5BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/4616-627-0x000000001D730000-0x000000001DC58000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\2024-08-04

MD5 70efa17933ca4cf0406586b72919fd1d
SHA1 4d3b7b269aca8747044d0bf53d8447518111c9f6
SHA256 05d71b66acb0fac15c5168ed76a1d80db256de5cb8f38727d09a853128ac3ff4
SHA512 4701d3e8822f869a0a7669d61e1d96664dc7d567f96176c9a0b0c9067cc5c21890452dc7f242b0a8712d01e3879170280161c4fccba2b765943167068355a172

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Clients\Admin@HVDPCYGS_872C1E3\Logs\2024-08-04.html

MD5 bc62de9d5127ece1d08aec11a96470d1
SHA1 53e92faf01aa88ee506c94cbaf1246f57ab1e8c6
SHA256 12d029c3a7a7a9aefc54e4bf7e6b67b6844debe74654a286ef93ef98bf84f8bb
SHA512 6af7f475bb464bcffc71317696e4fae11b397b5e15d03a2aa73a79fabc56c3fff78cc825bfcfe506d2d3060837e0b96b9e0fd6e4a1a134a4a235e19c65901d6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 174677ca5072735570c983bc1b4b9a65
SHA1 68efff4c84b32f794ac50fc1b59f315e7b5c5ca0
SHA256 c55a7b95513a69964f9ace2f3db3df1da88e220ac9ccbdc7b050b70cf1ad0834
SHA512 e2570b1efb85449f4ae12ce1867c437404d90193cb50e3820ee19f9c1aa234fc27b008ae05e324da13d9be985fdfbb2823a09c1c802e90444ffb71c3bb20d5b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 9adfc712ca60ba42d375e0bdfae96685
SHA1 65d18f4b081384abe450ce6caa6cb07ddd49af5a
SHA256 0589cb2345357d1a28e18225e45cf533d1d3a0c0bc82f81a8e1bd492bf3f5539
SHA512 0645fb6190e71511eea77a2fcb69c290056b244c1c2798f3de7088773574ff60bbe07fa13adb7fc24f8a45455208f6b9cfe990972ab9fd1ae5e73e6e2ad8b2a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

MD5 8b695313591c7438b2be4f2fdf243a46
SHA1 6ec7632f958e518b156b4277453a643ae6a03d3a
SHA256 11eefc60df7e831756bcc5daa9b6a5d3736303d984e30c27bbf46c8d16b5195f
SHA512 fb5567540f787e3cb1fe33248bb740b888411fe54e8c9f5697c87cc0960e8e1619ec1527466d05fef3cba08c5279b88fdb15eb8863b6a77357c78f7768fe6442

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 0f633d7f01c7d66663f3b9e241dc2309
SHA1 414f9c83833857d788724f2228bb41984171ff92
SHA256 c25b6eb116df6c8023a63e31e9974eada4320fdb062494d6ca55f5e33c6af91d
SHA512 2db01e39811535d3d0c82f8a76be5bcf8f12e544fe5251360b80cf055f5e86b62746a67baf1b07662cc43e5cb4374fc1d063251cd05900911c401b45ab96838d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 9be5544a90bc459bfcc598092cdf7eb3
SHA1 9f89f65786141ac8dd13bf2b32f7f79fb5d1aed6
SHA256 1a161192ceb6dd3733419b845a17ad1cd1aa8a8198cda9b32669a9a7737bdc0d
SHA512 f5c2ee0feac601c449299a96d19ac5b6716411260fa692120b92d2cae3bff54b66ced27ca01fc33af3a46cbe487f205ba948b81e8756e12e6dad9ef31cdaa4a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 9c1d6433c46676a24eb11560eee42452
SHA1 6212a0c82bb8bb1856737e215f857a503916e9f7
SHA256 cb8b235ec62f55f02000ed6e279a71ee36e483a8a454f14cb9eda6934b4d9470
SHA512 8a21dfb6acce7c36a451208e6be795a2c510213e4ebfeff75491238d11445cbed7b9fbae0b2825b565887edbac3895e4ed2610b914629f81ad61ef1b563e6329

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 8dab8aa8585ab99acc3f766b919a23db
SHA1 a3e39aabf5a8313a3567ed1bac62d03da5ebd1f1
SHA256 00a3d2dca669c1be4ca3094746e8a7734b64de107561eff011e8dc5c15ea91b1
SHA512 d6baa2ebe90952c09bdcb82e87a09874abf2b1099726f7aeb2aa21a50c05254567466dc7e68eb110b097adb922cdf4cacf1d3d62a9bb2c318cac66ce9ed23abc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 fd9256d5a984f4a4c174d1edd57dca89
SHA1 92a67cb64e845308aad49b583e8c0b748c6a12d6
SHA256 71b99603a64823d064421d16957424d52d395369aa48fe82f37cec796bb312a3
SHA512 8087791ceafd17ea656fdc6327ea1925f66da216f2cb4a76ec3254b285d3eb97ad8517486d3306904cacee946b51aa077bf498cc0166828f03abef72e0e910cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4df4574bfbb7e0b0bc56c2c9b12b6c47
SHA1 81efcbd3e3da8221444a21f45305af6fa4b71907
SHA256 e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA512 78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

MD5 3dfbb3cafa28956a504083259b00df86
SHA1 93f0e8c2f5fd77bf11c259d9c7e0487fd0e5c7a6
SHA256 41f74efb97057eb5ba8b96fca994e63f27f1f5cc2a3da985be1d59175e9d0fc0
SHA512 f7598599aa29138f5ee85f4cb62def345eca31d4038d042e218170b7edf1f904217df7c1f4fd39dbedc70b7dde3af4e4b85801c19edd5ff8419b2102740337d5

C:\$SysReset\CloudImage\metadata\UpdateAgent.dll

MD5 69408426a6fe28cc42ec4e9746306316
SHA1 20cb0cda61fc86a7ee55fe29857f72d7238f11f0
SHA256 891c5381840ab53bc2a493a7f7ed004d8fa2bfc4fa2bf64a9e1f561e2579268d
SHA512 7d52243f584c3a34d434a7ae5fb85b5c9861fb965006961a13a27504c03f4635ce8d6a507986e80a8009b898d52008c0a70d65d4bc06034134362855dd178ca3

C:\$SysReset\CloudImage\metadata\dpx.dll

MD5 29bda3453b0cba312463c84381f373c7
SHA1 aca843cf1fc8607226a3fb32f6424ea1546eef30
SHA256 15d29a06aecd840a42f3324e2951d28995f853c12f6164b60949d16aeab1824c
SHA512 6f50d6a368eaa34021674b36938a2690bedb5008838af43029b441d2bbe2c531debfb9693a867371752e720239f03a540ff08a5cac67a51ce8eade1c435cd4b5

C:\$SysReset\CloudImage\metadata\UAOneSettings.dll

MD5 c230b6b003b3131c1972fa56aeb79fcf
SHA1 083e36a67147b031f4ccb9e6d396529789977d85
SHA256 013bec06baaa081e903fdb62a50abfce9e057955170b07edf3b92ec6c547887e
SHA512 f75f4adf6d0a6a2410cf69da0574990437b6a18f9c8e93a9dcdb9d18121ddb553f10063dc0c30fa393ec990ba0db9c68e87c7c67a95478c87144483a9844f099

C:\$SysReset\CloudImage\metadata\Mitigation.dll

MD5 6436c1e2fd21ec4fef4410167bb6ba5e
SHA1 1519316fa3b0bb01b0b05813f954bea9abcc8a03
SHA256 597ef98660bb4be7c0f09e507fb5b394b334c49db9d67e46a162d58aefb6e022
SHA512 2242e4a5c60ca467fd3fe64d097411d9452266d0253e565cba648916e3b173dd789fdc45d2be083d7b71fb4f9e997966655d9214f1813777302b038270522370

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_it-it.CompDB.xml.cab

MD5 1f89fac27015649908857f4ae63de59c
SHA1 bc3bc4b15eea2321156ff4818686fa4c008296d6
SHA256 74497495d7a5ffc28ecad6596c03702abd0758a068f0c6d3017e31d2655fad13
SHA512 8553cf9c770d291af59aeed0890dda5e891ca622cabdfe1249b98968086d6442db03b15184f1e34d590514e71a1e78620ae8f6f6d0e889609c9659d1f112fd04

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_id-id.CompDB.xml.cab

MD5 fa21745dee956210ca2f09b802108379
SHA1 0d6ca47c794f14cc8907edd04fcc4709a5813e31
SHA256 de05b252d420b8e8f28471bb39115dde9005d392eda4c09a5c557dd98db84107
SHA512 8373819f4873e734c134939452605d2102d0f1c083a63e581be88577d6b92681f17d49ba36fa8024b8f91265fe331b0c854e584fa9c95ce8e064e4b30508b662

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_hu-hu.CompDB.xml.cab

MD5 8d5bee317aeeaefb302014758fed0612
SHA1 3e5d3d0ad2c713a6dc9db2c978fd5d33ccf6d83a
SHA256 be09db63d9d58b87b6750ab2369616fb3f228a9f6f32ef1bdecf2ff77ed2a2c7
SHA512 842247c402cd268eb51c0747bf9885f4579ecd79f4efcb03635eb58c0ee09415e0521747d91937859eb8657d8394b7cac7b0248c3b0324cfa7d547494a9bf86c

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_hr-hr.CompDB.xml.cab

MD5 57afb1327ae97a65ab58954a7c7cce38
SHA1 78d1b656c2bcaac6bac4c74cec514a00a2edfea8
SHA256 b29b72158bb09c4cf61cd1af7849cd6a4ae092e39e5c536579b0779a6e2d3fed
SHA512 895b62e1fbad905020cd1685a4bd7487d4a1a08e9ab7997b005bd39c5c5a0dbbdc5524a31fa8ef01b848a1658150c3e2f1f9851b08ddf7ce1d02b11a73c95126

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_he-il.CompDB.xml.cab

MD5 fd0f365ab0ddda136be2daa79bc3156e
SHA1 9cc250659501d2c23003a2747c306e9bab9f8d60
SHA256 e9ee8268809809295b887349740bc8b10b605b2f0cf361233cb7e3f3c6f787ed
SHA512 e031f3f16b9ad482eb49f0d5284946c05565d10c715d324843f087e5c5a65d57b7cbfb840cae80310277d732b3906e2f51ef71e75595cf4647d7bf4b89fbe8a0

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_fr-fr.CompDB.xml.cab

MD5 a96f4f0f0efa9624343d69edc823d9b4
SHA1 769e10d7e4216f2a9e541bfcac274ab059667e68
SHA256 cddc265162029f301e3a31506bce636509d2597223c77d410e989d36bc43f13e
SHA512 3ce79218ed71766a8424dffe8bc2ff0842dbefd3bae5e00a20cd569e17c91cbdf7f1d5a9e1e47eeef297c3aa51ab6e5b2962087af57b3f0f43c2f22b6247717e

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_fr-ca.CompDB.xml.cab

MD5 24e6f04053bd7568e7e50dea7ee6af68
SHA1 4bc3e0a58cda673114ae3283ce7a6437e7660edb
SHA256 42351f8d85d1f8789a337ecfd85b254e65a767232e89878ba3182aaf68a47e6f
SHA512 2fea27f7db72b7c999c9b6fae7ab51802f1182bd731d9acefb2891e8fe18b5013b2e399c77176e49ac9f27bff542812736dd97e6cc06bf477596620f5c604b46

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_fi-fi.CompDB.xml.cab

MD5 87f71a1fc29e28a2e138d49bc82a43f3
SHA1 14f2a3a85162e2e7932c69a95e4ca2b0057ffe69
SHA256 0c95f3c316cf74e4b46f1d1a43f718ea47b4c15ecdfc273042f660c98bdc254e
SHA512 183e2adfa9afa4fbec28968af5e09e207fa3403d15f54c2d666ca348299eb57c4ccda36bb5a6e70d6f0b7ed44f2df160b997439144b3fb5143a782ab275e22ed

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_et-ee.CompDB.xml.cab

MD5 b75b777b8743bd509bdf9f59825823c1
SHA1 8a474eb7b01206ba88aae87b287dba96a44e2e47
SHA256 d7099d9a6757b428e82b8100ce2cbee77d4c359ff2b2d27831a155e9cc9442e5
SHA512 31ab7a4f2630dd84121b0ba10fb6b7ef1db2f5dcc4b9d098680c0b018b086b16c322fa2561856a1a6771cc19891faf808f682e8b8c38466f038a1dddce70e559

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_es-mx.CompDB.xml.cab

MD5 c310d1bf613219c29ef7325d5d7c3f34
SHA1 93ef60383ded86ad5bca2060c6854c1b6c7a8e04
SHA256 a0d8284f08bf728e4a19bf14b0f51068d1fcecf5cc277a2835af9b3f5221d6a1
SHA512 8083605ace9a462a4bdc8ab156e3d82ee744c9d6420886ee0bac5f3911ab81c5499195443d4ec7a3e5cb55099fc57daa2518dc7475668ab0a05c0a349e810888

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_es-es.CompDB.xml.cab

MD5 a1ca8e6d8c9b3852f4a67dc892422f36
SHA1 ba7b2017d6fbfaa38e1d9c0a7b9a849df9139869
SHA256 7c50b8420c8b0cdd48457a03fca407b940841a47c7a09762ee44b9dc1b6a8370
SHA512 7dc3bd971f9bbb5bf055c229191409323289a10236762751aabf2a375c85209ce517bf78531f3914ddaf4258158ea0f7c4e2585a611d4c9f09aebd8fc31030b5

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_en-us.CompDB.xml.cab

MD5 a83112f73700b04f7e2269d5035ed7d7
SHA1 abfad299ed2275cb7318843ccb55f8107afe08e3
SHA256 7ff228a96ed33e47464dd7cd21338727b00d71318d23877d3670a0d0ce4bfb94
SHA512 17d5fceb18533e29a8ee23d282223afa75ba51f45e0197a96256671216015e1a6c35b085d338a1bdf2303f63e3f68827b37bcaa27f63fedeee6256cfcfad45f9

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_en-gb.CompDB.xml.cab

MD5 cfa403ca31e03930ef86106747141e38
SHA1 a433317ec46c65d5ecf60862bf1b53cbd93a2bd2
SHA256 f59acd90823da247b61605a22eb73f90ce4dfc31664398495e89e634dd519d31
SHA512 b09c1cb61e65bd1076696b08f9af8fa071b539f32e771fe631a28ab19520013b329498b52373532dc01abfa9d1582971ef858e9ed5e1b1f204466f45a1e2205e

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_el-gr.CompDB.xml.cab

MD5 b3a1893721c1a2c7032efbf366f44f74
SHA1 1745fabbe0e5497eb60e822f6b1a9cb7b05cef08
SHA256 2bb68feddf18ef7692b9dddcdcf650632712e478a7e58cf226f4a1343899f9bc
SHA512 54321d96f2c961013d39b50a0317f2bfe39a8d64a679b6aa70a28f61e82d8c53f3dd9d2239129b43ab107317c850c30754dfd9749a75c5315ae3495f29358d48

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_de-de.CompDB.xml.cab

MD5 7e21b40a21b06403e9612cc73d46228b
SHA1 2ca64382163556ccdb02f5123faebdc4daf22c09
SHA256 051097420c09aa3d7348dda0872092ccd9118043ae20e56725e42b73c3dfd42d
SHA512 33074c263febb4a07c7a01379ee46a52860f42f3926ede3c320cdc7e015906616501f9b1c28be4816201a102267867250154b72877d80bbddf4ba68cdb79beec

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_da-dk.CompDB.xml.cab

MD5 24436a3af469e98c90cefa37409584d6
SHA1 1b1df7cb3b15a31721ad014faceacd977b0a4567
SHA256 7ce7e1e864e84dfc5eace134a236e9312a7deb9c3f8413a43580f86a8f15019f
SHA512 b14ec01a13944d3be427059b37de3ff70f9e256aa4220da76dcb77d97e84208970cbac1ff28ed635da684e6be5560ea62d13f40a86b252b6a3a301037d4783ed

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_cs-cz.CompDB.xml.cab

MD5 c8b7dbad3b2d31c56fc6c35047988bc1
SHA1 b0817adf413d287fc929c5e2df1cacc3455ced43
SHA256 e8ce236f1a9706fceb6db46d1e89f7ee1134550c0fa767cec46acf788a1adbb7
SHA512 e09cb1213560e885f1fa9adfb0578c1e5ac2bf5b3a663242d19ad6f8125f631d23b512af03346cfbb716f91c6570cd39a65694720cac6504b3bb9c40ccb80940

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_ca-es.CompDB.xml.cab

MD5 ec32e5f5fbae4cea7d8eac9ec2c4da3d
SHA1 6203503e8f1f710973118dfacefa1973268f4970
SHA256 4cdadd73a1bef82f578c9da785339572561c649c9bdf0cc80134aef326644461
SHA512 90b01b8d8d2cefa9e2c765ecbc1f4d44e088c9bf4f670236b7b80334593e04c414fe389aaf9f8601402d68c964f5e1a862e9da0ca32ce9af23fc19a22bcbd6dc

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_bg-bg.CompDB.xml.cab

MD5 6583f80c152b3144a5cdecc99795214b
SHA1 df52ee426687262b5548d3c724b4f53ef6604839
SHA256 03b31d9afa1c55d3d5452bb9c69b6688d276e58221b8eda8469144aa019eb579
SHA512 da8c3fafb716e5b3f7e339fa59992b73463f6695571cba1711d402c58e14d1734ba26da7d1e2cc55d664d5469870f14f65652fb5ce492985fc5b2577602d3da1

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_ar-sa.CompDB.xml.cab

MD5 4c23e3473262f08834b8841ae2a52ba2
SHA1 5db8dba4f97e55361fc24c1b1694e9571f161183
SHA256 fe95f47d1f5227829fd03b05c896e757cae92ef7e5bf53ac89b8bfec16eac042
SHA512 f9aa2703fff27df1198ff4e20cd7f692e90a09b8a664d10fcd77fd979d7545282aa1379e3e3144effa3b71170238215eb1f2389c8ad488a67ce48ada357d62d3

\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\90ae2b83-04c3-4ea5-8685-fd898ec76d91.AggregatedMetadata.cab

MD5 ac8304d9dd93aa844e6a80ceec3bfcf6
SHA1 25d8a0e335aea196d69a21c4b64fef31a2ecb49b
SHA256 e5a3fbb00d6ec175f3912cbf333614034d088ee665cf276b8631b309714f96a6
SHA512 b415bb722ed5f6db287c8beca06ad6c4a9006c1a815b224b14ae55b85fe3f0e1b72db355ec7969eba9fc7d12cc3df84746dd81f6a478f9984e0d2ac7b85f8c63

C:\$SysReset\Scratch\csrss.exe

MD5 a976339058116fcf346437d797c7eec1
SHA1 69a1dcf6a41bc750cacec3185c99839c079275bd
SHA256 8ebf4096d28a78e8ab36e5084784acc90464eb4a74d972c942f147ea59e5134b
SHA512 72bac6ea896d9b7f817ef5644adbdea80bc7f852be124f08487507a4507fb0c0aec167ec03b9dfb8c4ede7f0dbcbdc8343bd3c114eea62bb1b842160fce324a4

C:\Windows\System32\Recovery\ReAgent.xml

MD5 606bb04b79c722de9b08833316da196b
SHA1 0b2721425831ceb6a660f44452d009d4e1959388
SHA256 4d2b43d964d53c7c65c36ed9d638aa5c272e54c9f861344c3eb38ad4ee64a512
SHA512 f062c5c907431a7006c3a172596967ce7895bd8f11de7b42549f6e979930a661cfd2604296533cc257796e69cecf7d2e62e761e328904a10a1ef1efb56a384bd

C:\Windows\Panther\UnattendGC\diagerr.xml

MD5 2ff3cb48098a371025bd35627e0ad18b
SHA1 45e73c16d3718ed33fa11987f23d7621102a96eb
SHA256 f5a7335d27c89072fc657286b1eb4203ef39fabfb40ae3e17150fc42f21346c7
SHA512 de30b7f190b9cb2d78843f29c3cc8460c47d81d9dae78acba1133cc1e42d6f52eb6c4291b161abb1429f48a88da96cee4e55938397f10e181464d59439ef44c4

C:\Windows\Panther\UnattendGC\diagwrn.xml

MD5 f46ca122746cf66a7735a71ffa145f62
SHA1 0b190aae384f53bee055a789dbd868c60f246501
SHA256 eeab26bc6d25c9d40664fd63dd438a46439314bec5d460d1319411448e6e8dbb
SHA512 9d639570547e2c9e030eccf6b0556a5bd2ddccd0597d74c90002b7648bdd4c5a42126575a23c5b667c971874ab9e89b4f27dfd83d781c8ace517f4b9f50b2070

C:\Windows\Logs\PBR\ResetSession.xml

MD5 3f13d75af0ee3cfcda4f82d98719f06f
SHA1 9ffe54bf0f0dd28bb295d76c27c7caa548f39a68
SHA256 7f1ab4990396dab6c70ca58da8f103b15deda89096c884fa62c499403187554f
SHA512 81d60c33ac31f30f50e644f0c6bbd53bb89591971201d52f130e08586c2a961637048aa13ae08ffddd495b0eeeec7cc98f25a1db3db6de48ae50533e1f8a6fe1

C:\Windows\Logs\PBR\WinRE\bootstat.dat

MD5 3c08dea20e350ea34f7309e856576428
SHA1 d7a048ccc07b4d16afc4d778d5601a067fb151b9
SHA256 b7bbc3f2463000f52eadcce2e262512dc79bbbb3355c62c734f18db57e0fba82
SHA512 1c1cdd554cbf98dcb7358808cfa2682bd09a596e24a3708ab73e379e5f8ae7dc394b8e88824589327e2f67487ca19dacba9e3288993e2e92463dc32aaef67f9d

C:\Windows\Logs\PBR\Timestamp.xml

MD5 75720c403d57d188db40183385219803
SHA1 91aca8d220ac46a788a7478a50511f9da79847f6
SHA256 c2464f286ab6b8b534385064f0f4d770ffe040be4f1b5c3be340a4a511238b70
SHA512 47fcb2e3f02190cfee808ba6dc4d4057946076725a2e1172c4b9ab70f7ca91b7de2126047ac20491c3cf1f73971f55c9fa91117ab4fac107041af9dc3102c482

C:\$SysReset\Logs\setuperr.log

MD5 09efd6578f801457a55f8663fa8d09b2
SHA1 81dee466080d81484adca57dc2a0b6f18acb3a20
SHA256 08130b319e06fb8ad9e27768e219942e725de81f3895ceb0c7b81fae2a54acdd
SHA512 c053d1198448bb6df7978e8a3c5c7b65de7d79c4167c33b2631b8a717ce72c07b83a621288bf6318d39f65e3e1ecfb1f9132c6a43e54a68087316c1a62b2478e

C:\$SysReset\Logs\setupact.log

MD5 77ee2f9d3eac2790fa22a8d9d14cf29a
SHA1 803a334b59edb78615d38697f6f8a4e97a7b12c0
SHA256 c382318698d96d44d1190673f04d3a099c2fdb75747606beb131e7f3f2aa3d10
SHA512 02ec8c10d986617dd680d24166b8ccacda87dd03eaab278ebe80fbbc9c6f4c7a87cdf80824628eabb8d2c0971c2d55f9a2df1ddb24a04a40512d38cfb854e3c6

C:\Windows\Logs\PBR\SessionID.xml

MD5 3105d96cd9f198ca8986f4255789a09f
SHA1 5247bfce652665d6831f392de47c873953618ec2
SHA256 732d935d25d2db004c1e77ebc3040325562175ee6d76399057ca81f856c15815
SHA512 9098f665e199174a70d4c298354498d70caa32b1ecc26aa0458beadd0dfba12a20bd4c92db5bb5bfeea2f56a2234a69a3c264aa7cc114e122c5579518caaba93