Analysis Overview
Threat Level: Known bad
The file https://github.com/quasar/Quasar was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Windows directory
Browser Information Discovery
Gathers network information
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Modifies registry class
Uses Task Scheduler COM API
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 07:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 07:42
Reported
2024-08-04 08:02
Platform
win10v2004-20240802-en
Max time kernel
1171s
Max time network
1172s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Client-built.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| N/A | N/A | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| N/A | N/A | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| N/A | N/A | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\Recovery\ReAgent.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\PBR\CBS\CBS.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\DISM\dism.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\actionqueue | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\DDACLSys.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\BCDCopy | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\_s_3365.tmp | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\DISM | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\UnattendGC | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\cbs_unattend.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\diagerr.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\setupinfo | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\ResetSession.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\WinRE | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\unattend.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\WinRE\bootstat.dat | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\INF\setupapi.dev.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\DISM\dism.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\_s_34CD.tmp | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\PushButtonReset.etl | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\PushButtonReset.etl | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\setup.exe | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\Contents0.dir | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\_s_3365.tmp | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\setupact.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\BCDCopy.LOG | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\SessionID.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\INF\setupapi.setup.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\cbs.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\Contents1.dir | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\Contents1.dir | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\setuperr.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\setuperr.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\setupact.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\ResetSession.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\MoSetup\UpdateAgent.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\INF\setupapi.dev.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\INF\setupapi.offline.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\cbs_unattend.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\setupact.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Timestamp.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\ReAgent | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\cbs.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\_s_34CD.tmp | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\BCDCopy | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\CBS | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\diagerr.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\setup.etl | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\_s_3616.tmp | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\setuperr.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
Browser Information Discovery
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "5" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 7800310000000000025984631100557365727300640009000400efbe874f774804596b3d2e000000c70500000000010000000000000000003a000000000051291b0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000100000002000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 84003100000000000459973d1100444f574e4c4f7e3100006c0009000400efbe025984630459973d2e00000088e10100000001000000000000000000420000000000476ca50044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| N/A | N/A | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/quasar/Quasar
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb08a746f8,0x7ffb08a74708,0x7ffb08a74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5440 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2856 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14134833830242596616,16317225227126915834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\ipconfig.exe
ipconfig
C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1338eb32h7cf9h4555h9d6dhd547edced6ac
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb08a746f8,0x7ffb08a74708,0x7ffb08a74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,5966113813541161557,7906858648738657788,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,5966113813541161557,7906858648738657788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,5966113813541161557,7906858648738657788,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3927055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 185.199.110.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 185.199.111.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 10.127.1.209:4782 | tcp | |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 23.62.195.195:443 | cxcs.microsoft.net | tcp |
| GB | 184.28.176.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 90.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.195.62.23.in-addr.arpa | udp |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| US | 8.8.8.8:53 | fe3.delivery.mp.microsoft.com | udp |
| N/A | 10.127.1.209:4782 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp | |
| N/A | 10.127.1.209:4782 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2783c40400a8912a79cfd383da731086 |
| SHA1 | 001a131fe399c30973089e18358818090ca81789 |
| SHA256 | 331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5 |
| SHA512 | b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685 |
\??\pipe\LOCAL\crashpad_3800_NUBMNOXIGZSGTMDR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ff63763eedb406987ced076e36ec9acf |
| SHA1 | 16365aa97cd1a115412f8ae436d5d4e9be5f7b5d |
| SHA256 | 8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c |
| SHA512 | ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f126701d56226f1c9a3f97779d207acd |
| SHA1 | 3d0421bc3902f41dac5be410b0048d2b2af33aca |
| SHA256 | 7a6fc03e58dc94fb2591fcc5bb7851d4063d66a0fc0160de697cb906d96d69df |
| SHA512 | f6a263b918136c3209508b081cf58b6f632394d67c34310bdee6ac1df2d6ee3fc91132455208d4fdc86187d24432ae3cbb07a9e9ccec26185e8ef261bfb544c9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1cabdde96b5c96ae6c248a8e9d70daf0 |
| SHA1 | d9a3da99a677d71864ed06d111c799562dfc087a |
| SHA256 | c5f160d35f94c1f6ffe051a3de7e083f9b0a31c14d9d47c5f72423cb108f1e30 |
| SHA512 | 62a286ce96527f876537e8be23cab6a9d44b4fcac1cfe5726f6be5eff83e71e52c477123b3436a6902067ece4889d9aaca4e2b8078c5cc8fecce65833d5e575c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f5dd606494ad735c89492c2d6bc47973 |
| SHA1 | a1cf426d6a43476bf64cdec9b90deb9845995594 |
| SHA256 | fa34fb688d94ce3d9dee7f8b001e61c4225ba40664b8d1439d7303a02cbe6e6d |
| SHA512 | 2aea3f6749cca1b9bbb20391725af67a3b695dc588cc8a9ac73f7ad58840f25fe4e2f34fdb670896a4a416eaa86ad264c56aec5c177124f689a0d00696664bee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f1322ffed9cc7abc3be3fc5189c4e02c |
| SHA1 | c14c26c4964da5dd3301f6e3afef06406753dd23 |
| SHA256 | d6a09d7bfe543bd6d1932a74a8b5516be1409e2bc4e25ec51204287c2bedd3ab |
| SHA512 | 61f8be47b29ffdcf1612d8cdcfca1bfaf95fe6bebca18b3360053ad96f5223462dfe68b786ba5742a19ecf3b2f779e9603816f4cce162a4a589d3e46aaeaf578 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c5c4e2038dfc22fb6322b78c2bfbc7bf |
| SHA1 | 2a1c789198ad08c398a1a02991926c8a000cb466 |
| SHA256 | c3dec648ecb66f142d5c776dcecf37d7721109b8bbba046e20ec69c8b45c8e59 |
| SHA512 | 031c915b3776b0f58d8c27d689f7ac91948bfc72b4d49b5c9f95bf40ec0b6c481f25a2d9dbfb41859a6aa7b6be9a46670273dc41e012613a8506e0963a50e03d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58410b.TMP
| MD5 | b5b315881de4f0acb4bb40286de4f9e9 |
| SHA1 | 6e0967dfb4a3919acc70aa1fd8cfa8b2beed8440 |
| SHA256 | ad6d553bce7e392ce06ea74d7b24947f7abacd4d9ce7ae45f30d3cad691a615c |
| SHA512 | 9f732a7d4a1916eac005ac7448a2a8c797d77546b5bd547483fe4300bf6d082572eb5177d8af501c008f07c930f27e0a823d72941295fce8d150e087507cf084 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 33afee3b1d53045400b8a78c26a12b60 |
| SHA1 | b4d01e5e0230f100e392d4042163d92de2b83098 |
| SHA256 | 5be532af968d06c101dcad7b5064ab1d3b061fb1cf9e088d874a0cd9db4db8cd |
| SHA512 | eb26dbc14a72ea6e2b6faf0b5782fb465074ccfae361b87b8656d12d51c0f9673876a58d59914a46ce75e5127a9dee0241380e880606f14120a2fae315ada35d |
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip
| MD5 | 13aa4bf4f5ed1ac503c69470b1ede5c1 |
| SHA1 | c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00 |
| SHA256 | 4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62 |
| SHA512 | 767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ce7e25801f253f669196183b28c675b8 |
| SHA1 | 0ca97c5d01f94d953209d496af2c089b5e60af5a |
| SHA256 | 751a087cdd898e07523a85bbe6cccc72de56901afa814188795c7a9c70bab28d |
| SHA512 | 6fee1953b2a8ef418d8da3659267cf8b3e905c9ff4555a371366858390290d381610daa4a0654de338d933bffe2bc268e93cf2d42262d8f85555386ce440e81f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\68907989-342b-4a98-87d1-a8516813779c.tmp
| MD5 | feb394813b1384e547c557a1bbda0210 |
| SHA1 | e405e916c445867569ac8d8674312d4182cde006 |
| SHA256 | 31a3b0527dc567f289dd006914bbeab93ff77e3603f41d54297f0d7dabb42e1c |
| SHA512 | 9323c3b09ac487c509ea1d1982d8b295c2dcf26729a377420f6323a0d813bd19dea54e5eb4b0168ea2da2b36d76b50d73def7668255fc1337da71f2f5487ef5a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d877629c179cd80bbac5ff71d58de502 |
| SHA1 | bb7276ce5a6735636fbae2aba4bb653ca7b69103 |
| SHA256 | 26bd1a48cac4ca11607321280e360d77d90d3dc31f970640f4c7ec16c12bfe83 |
| SHA512 | ca9ee9f24d8ef7576684e5475d82edd2597462f19cbdd5ac3871486f3079f16ae819392fcb9ba23ad343f49411a4b1019db9229229faa9634c1ab49e929446a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 29687cc36ed46cb8f1c12ecf363eaf53 |
| SHA1 | 398468ae8f6606c973a2eccc478c726bfaf0371b |
| SHA256 | b8ec7641b64c6ddb3978acf5ea928188640a06ebf1a668805b56d271583e5116 |
| SHA512 | ef79741233966709ee8a0d52daad86ab072c9e5a810b243fb23f8b0490b364a20d400b847c967127dc2370dc05022705b8b7c5f2067c718861f7f979b05ac286 |
memory/4832-296-0x0000016ABC590000-0x0000016ABC6C8000-memory.dmp
memory/4832-297-0x0000016ABCAA0000-0x0000016ABCAB6000-memory.dmp
memory/4832-300-0x0000016AD9E30000-0x0000016ADA15E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0607fc3e10c176c10a7e41bee935bcb8 |
| SHA1 | bdef608a5ac402363e736ed001f9892ae2f65187 |
| SHA256 | 9b8c46871449717ecf4d21460a8e0322846fcf4595eaea28e528b169e4879e0b |
| SHA512 | 8e3059fb044a9f6609eb69f5cfb1577d123a6e4f904d1928e09859ff227bc8393147ce18232594ba5609a150cf5587fae2f239a9f5e12b2f3bc10a353d6dcfa2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 02ac2de942e0765034a1e439dec8e081 |
| SHA1 | f63f10cdd8a86cf49fb0eb919ff5e53aa6057860 |
| SHA256 | a0ca738d905339c182d849e6fd166bfe12b489492391a6f965307d48fa14e090 |
| SHA512 | d5c99b138305b89053398c5b67bba91ca4a2761e1ede60d596e67f84c054d65ee9d1fa0b3066e2be856da247195f3d69b51ccc836810692c15873e41d1fda5dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 23a3063148f7bce8c648463ed5fedb7d |
| SHA1 | 22e6e98e0947f954982ab280f7a77f1d240cb682 |
| SHA256 | 0fba30c8186933174b2c395cb7aa254873cfc4d814fde1b4501ed2120fac7f7d |
| SHA512 | dc9a3e0d734c56032198cb3c25ab0dc903e24c6d2261f6aa17d408a4d6b91e1a5ab2c55f98210e9fb3c46c8d441b7ab8c7b9ec5f1b6e1b69d1657a2ac1079ddd |
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12
| MD5 | a194d77a59788335c0683606da4acdd2 |
| SHA1 | 735b11d8cbd266d5431c1d7c6757154f6335154c |
| SHA256 | 23b9bc7fd76051043da05ba3391056ccc8072bb59397d4daa3b46374b6c8add6 |
| SHA512 | 8526aef0e8560862755a4059bd81c2137c2bc9d6f961ca7bad6af8571f31e39f9667773c10b64eac1967e0bad05971e7f1f989b20cb625e2dbabaeff3cfa039a |
memory/4832-449-0x0000016AD8FF0000-0x0000016AD9008000-memory.dmp
memory/4832-450-0x0000016AD9270000-0x0000016AD92C0000-memory.dmp
memory/4832-451-0x0000016AD9BD0000-0x0000016AD9C82000-memory.dmp
memory/4832-452-0x0000016AD9B10000-0x0000016AD9B5C000-memory.dmp
memory/4832-454-0x0000016ADCE90000-0x0000016ADCEAA000-memory.dmp
memory/4832-453-0x0000016ADD350000-0x0000016ADD3AE000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Profiles\Default.xml
| MD5 | 5b58471ac4e5bb2e94ed0434020b112a |
| SHA1 | be172639ae9372f147c5739ac025a4c0cc268f51 |
| SHA256 | abe326a74fc76908fe3dc1a06996b1b4550866a8c7b84e2917bc849d41f97edc |
| SHA512 | 5fb5f3e68c713a7334a33b4ab55f20510ba2e9ee0ac94074caf4361e4bf28f5705438f91259c91f05810de7fd608fd015493c887d1daf3eb1964cc095273c7e2 |
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml
| MD5 | 94bbb85b209841b1379708d39eb7702c |
| SHA1 | ac4391c9a6b99a04cb414eb55d727ac8ac86d2a0 |
| SHA256 | 67a8b474793537687a6c087ac9f6c0fc75b4ec43e2f33bff90e0d2a68c82dc45 |
| SHA512 | 8b8b0f4758a9c87d3aadbf8e76acc86405bbb8b003c138876765aef7e1d2120feaa0f68055b400a5c34ff294d20bbee1e8173b037daab225a3e1b04cf8a54554 |
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml
| MD5 | fca8b1c002395cf5d7ecf1a357f34319 |
| SHA1 | 3795bf632d1a619814301b5226d958ce78a0ab12 |
| SHA256 | 0ac0e8ff8e7d2722ee870e3e227f844d16ee41250a16ba0b2d3e1537297bdc21 |
| SHA512 | 5d38019d282afd8b8da9d0acf0c2e622c3a889e0f7e457d08aeb6324192b7ab904ad133c6336fc24555a00c9654a8d9d21fa7211299d01b4aaad028a5739483a |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2412658365-3084825385-3340777666-1000\5a9c4fbfa0752a8d057b8fa0c7db0f7a_dd06e985-ac7f-4567-b0c7-3752f03c29fc
| MD5 | 3f67394c0e096325c7243310c09593d8 |
| SHA1 | 7fa27bd2ec534764e8f32a0e69b0bec3e17eb7e0 |
| SHA256 | 92b6746998c595c1676aa850632210eeca3cd6db217f15d815e933a25c3f9027 |
| SHA512 | 7be00b805237566dc1b3ff296692a7560efae93d9304e5628ffedffccd8e4352349a517204444f66affed1e53a7fece09841be69fd8b6176d6f4c2777993c766 |
C:\Users\Admin\Desktop\Client-built.exe
| MD5 | cccda4656c0a50bae7421b77bac92620 |
| SHA1 | 2c233643f8681cc2fb52f54c364cf3a1772bcb53 |
| SHA256 | e137c0cf65e0fc4ffb3fe9cdcb0a8281feb45165ace9505ee8b250f2506c0ef8 |
| SHA512 | 4bd2232ab50aaa0de7275fd087523896b5051b854802eee8c35f7ece0c835109bde884bf7f1b341a6158badee8e680f61e6d3577198db9b2fc06bc020fd3cd65 |
memory/3232-611-0x00000000007A0000-0x0000000000AC4000-memory.dmp
memory/4616-618-0x000000001C520000-0x000000001C532000-memory.dmp
memory/4616-619-0x000000001C580000-0x000000001C5BC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/4616-627-0x000000001D730000-0x000000001DC58000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\2024-08-04
| MD5 | 70efa17933ca4cf0406586b72919fd1d |
| SHA1 | 4d3b7b269aca8747044d0bf53d8447518111c9f6 |
| SHA256 | 05d71b66acb0fac15c5168ed76a1d80db256de5cb8f38727d09a853128ac3ff4 |
| SHA512 | 4701d3e8822f869a0a7669d61e1d96664dc7d567f96176c9a0b0c9067cc5c21890452dc7f242b0a8712d01e3879170280161c4fccba2b765943167068355a172 |
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Clients\Admin@HVDPCYGS_872C1E3\Logs\2024-08-04.html
| MD5 | bc62de9d5127ece1d08aec11a96470d1 |
| SHA1 | 53e92faf01aa88ee506c94cbaf1246f57ab1e8c6 |
| SHA256 | 12d029c3a7a7a9aefc54e4bf7e6b67b6844debe74654a286ef93ef98bf84f8bb |
| SHA512 | 6af7f475bb464bcffc71317696e4fae11b397b5e15d03a2aa73a79fabc56c3fff78cc825bfcfe506d2d3060837e0b96b9e0fd6e4a1a134a4a235e19c65901d6c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 174677ca5072735570c983bc1b4b9a65 |
| SHA1 | 68efff4c84b32f794ac50fc1b59f315e7b5c5ca0 |
| SHA256 | c55a7b95513a69964f9ace2f3db3df1da88e220ac9ccbdc7b050b70cf1ad0834 |
| SHA512 | e2570b1efb85449f4ae12ce1867c437404d90193cb50e3820ee19f9c1aa234fc27b008ae05e324da13d9be985fdfbb2823a09c1c802e90444ffb71c3bb20d5b2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | 9adfc712ca60ba42d375e0bdfae96685 |
| SHA1 | 65d18f4b081384abe450ce6caa6cb07ddd49af5a |
| SHA256 | 0589cb2345357d1a28e18225e45cf533d1d3a0c0bc82f81a8e1bd492bf3f5539 |
| SHA512 | 0645fb6190e71511eea77a2fcb69c290056b244c1c2798f3de7088773574ff60bbe07fa13adb7fc24f8a45455208f6b9cfe990972ab9fd1ae5e73e6e2ad8b2a1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
| MD5 | 8b695313591c7438b2be4f2fdf243a46 |
| SHA1 | 6ec7632f958e518b156b4277453a643ae6a03d3a |
| SHA256 | 11eefc60df7e831756bcc5daa9b6a5d3736303d984e30c27bbf46c8d16b5195f |
| SHA512 | fb5567540f787e3cb1fe33248bb740b888411fe54e8c9f5697c87cc0960e8e1619ec1527466d05fef3cba08c5279b88fdb15eb8863b6a77357c78f7768fe6442 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | 0f633d7f01c7d66663f3b9e241dc2309 |
| SHA1 | 414f9c83833857d788724f2228bb41984171ff92 |
| SHA256 | c25b6eb116df6c8023a63e31e9974eada4320fdb062494d6ca55f5e33c6af91d |
| SHA512 | 2db01e39811535d3d0c82f8a76be5bcf8f12e544fe5251360b80cf055f5e86b62746a67baf1b07662cc43e5cb4374fc1d063251cd05900911c401b45ab96838d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 9be5544a90bc459bfcc598092cdf7eb3 |
| SHA1 | 9f89f65786141ac8dd13bf2b32f7f79fb5d1aed6 |
| SHA256 | 1a161192ceb6dd3733419b845a17ad1cd1aa8a8198cda9b32669a9a7737bdc0d |
| SHA512 | f5c2ee0feac601c449299a96d19ac5b6716411260fa692120b92d2cae3bff54b66ced27ca01fc33af3a46cbe487f205ba948b81e8756e12e6dad9ef31cdaa4a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
| MD5 | 9c1d6433c46676a24eb11560eee42452 |
| SHA1 | 6212a0c82bb8bb1856737e215f857a503916e9f7 |
| SHA256 | cb8b235ec62f55f02000ed6e279a71ee36e483a8a454f14cb9eda6934b4d9470 |
| SHA512 | 8a21dfb6acce7c36a451208e6be795a2c510213e4ebfeff75491238d11445cbed7b9fbae0b2825b565887edbac3895e4ed2610b914629f81ad61ef1b563e6329 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
| MD5 | 8dab8aa8585ab99acc3f766b919a23db |
| SHA1 | a3e39aabf5a8313a3567ed1bac62d03da5ebd1f1 |
| SHA256 | 00a3d2dca669c1be4ca3094746e8a7734b64de107561eff011e8dc5c15ea91b1 |
| SHA512 | d6baa2ebe90952c09bdcb82e87a09874abf2b1099726f7aeb2aa21a50c05254567466dc7e68eb110b097adb922cdf4cacf1d3d62a9bb2c318cac66ce9ed23abc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | fd9256d5a984f4a4c174d1edd57dca89 |
| SHA1 | 92a67cb64e845308aad49b583e8c0b748c6a12d6 |
| SHA256 | 71b99603a64823d064421d16957424d52d395369aa48fe82f37cec796bb312a3 |
| SHA512 | 8087791ceafd17ea656fdc6327ea1925f66da216f2cb4a76ec3254b285d3eb97ad8517486d3306904cacee946b51aa077bf498cc0166828f03abef72e0e910cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4df4574bfbb7e0b0bc56c2c9b12b6c47 |
| SHA1 | 81efcbd3e3da8221444a21f45305af6fa4b71907 |
| SHA256 | e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377 |
| SHA512 | 78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
| MD5 | 3dfbb3cafa28956a504083259b00df86 |
| SHA1 | 93f0e8c2f5fd77bf11c259d9c7e0487fd0e5c7a6 |
| SHA256 | 41f74efb97057eb5ba8b96fca994e63f27f1f5cc2a3da985be1d59175e9d0fc0 |
| SHA512 | f7598599aa29138f5ee85f4cb62def345eca31d4038d042e218170b7edf1f904217df7c1f4fd39dbedc70b7dde3af4e4b85801c19edd5ff8419b2102740337d5 |
C:\$SysReset\CloudImage\metadata\UpdateAgent.dll
| MD5 | 69408426a6fe28cc42ec4e9746306316 |
| SHA1 | 20cb0cda61fc86a7ee55fe29857f72d7238f11f0 |
| SHA256 | 891c5381840ab53bc2a493a7f7ed004d8fa2bfc4fa2bf64a9e1f561e2579268d |
| SHA512 | 7d52243f584c3a34d434a7ae5fb85b5c9861fb965006961a13a27504c03f4635ce8d6a507986e80a8009b898d52008c0a70d65d4bc06034134362855dd178ca3 |
C:\$SysReset\CloudImage\metadata\dpx.dll
| MD5 | 29bda3453b0cba312463c84381f373c7 |
| SHA1 | aca843cf1fc8607226a3fb32f6424ea1546eef30 |
| SHA256 | 15d29a06aecd840a42f3324e2951d28995f853c12f6164b60949d16aeab1824c |
| SHA512 | 6f50d6a368eaa34021674b36938a2690bedb5008838af43029b441d2bbe2c531debfb9693a867371752e720239f03a540ff08a5cac67a51ce8eade1c435cd4b5 |
C:\$SysReset\CloudImage\metadata\UAOneSettings.dll
| MD5 | c230b6b003b3131c1972fa56aeb79fcf |
| SHA1 | 083e36a67147b031f4ccb9e6d396529789977d85 |
| SHA256 | 013bec06baaa081e903fdb62a50abfce9e057955170b07edf3b92ec6c547887e |
| SHA512 | f75f4adf6d0a6a2410cf69da0574990437b6a18f9c8e93a9dcdb9d18121ddb553f10063dc0c30fa393ec990ba0db9c68e87c7c67a95478c87144483a9844f099 |
C:\$SysReset\CloudImage\metadata\Mitigation.dll
| MD5 | 6436c1e2fd21ec4fef4410167bb6ba5e |
| SHA1 | 1519316fa3b0bb01b0b05813f954bea9abcc8a03 |
| SHA256 | 597ef98660bb4be7c0f09e507fb5b394b334c49db9d67e46a162d58aefb6e022 |
| SHA512 | 2242e4a5c60ca467fd3fe64d097411d9452266d0253e565cba648916e3b173dd789fdc45d2be083d7b71fb4f9e997966655d9214f1813777302b038270522370 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_it-it.CompDB.xml.cab
| MD5 | 1f89fac27015649908857f4ae63de59c |
| SHA1 | bc3bc4b15eea2321156ff4818686fa4c008296d6 |
| SHA256 | 74497495d7a5ffc28ecad6596c03702abd0758a068f0c6d3017e31d2655fad13 |
| SHA512 | 8553cf9c770d291af59aeed0890dda5e891ca622cabdfe1249b98968086d6442db03b15184f1e34d590514e71a1e78620ae8f6f6d0e889609c9659d1f112fd04 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_id-id.CompDB.xml.cab
| MD5 | fa21745dee956210ca2f09b802108379 |
| SHA1 | 0d6ca47c794f14cc8907edd04fcc4709a5813e31 |
| SHA256 | de05b252d420b8e8f28471bb39115dde9005d392eda4c09a5c557dd98db84107 |
| SHA512 | 8373819f4873e734c134939452605d2102d0f1c083a63e581be88577d6b92681f17d49ba36fa8024b8f91265fe331b0c854e584fa9c95ce8e064e4b30508b662 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_hu-hu.CompDB.xml.cab
| MD5 | 8d5bee317aeeaefb302014758fed0612 |
| SHA1 | 3e5d3d0ad2c713a6dc9db2c978fd5d33ccf6d83a |
| SHA256 | be09db63d9d58b87b6750ab2369616fb3f228a9f6f32ef1bdecf2ff77ed2a2c7 |
| SHA512 | 842247c402cd268eb51c0747bf9885f4579ecd79f4efcb03635eb58c0ee09415e0521747d91937859eb8657d8394b7cac7b0248c3b0324cfa7d547494a9bf86c |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_hr-hr.CompDB.xml.cab
| MD5 | 57afb1327ae97a65ab58954a7c7cce38 |
| SHA1 | 78d1b656c2bcaac6bac4c74cec514a00a2edfea8 |
| SHA256 | b29b72158bb09c4cf61cd1af7849cd6a4ae092e39e5c536579b0779a6e2d3fed |
| SHA512 | 895b62e1fbad905020cd1685a4bd7487d4a1a08e9ab7997b005bd39c5c5a0dbbdc5524a31fa8ef01b848a1658150c3e2f1f9851b08ddf7ce1d02b11a73c95126 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_he-il.CompDB.xml.cab
| MD5 | fd0f365ab0ddda136be2daa79bc3156e |
| SHA1 | 9cc250659501d2c23003a2747c306e9bab9f8d60 |
| SHA256 | e9ee8268809809295b887349740bc8b10b605b2f0cf361233cb7e3f3c6f787ed |
| SHA512 | e031f3f16b9ad482eb49f0d5284946c05565d10c715d324843f087e5c5a65d57b7cbfb840cae80310277d732b3906e2f51ef71e75595cf4647d7bf4b89fbe8a0 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_fr-fr.CompDB.xml.cab
| MD5 | a96f4f0f0efa9624343d69edc823d9b4 |
| SHA1 | 769e10d7e4216f2a9e541bfcac274ab059667e68 |
| SHA256 | cddc265162029f301e3a31506bce636509d2597223c77d410e989d36bc43f13e |
| SHA512 | 3ce79218ed71766a8424dffe8bc2ff0842dbefd3bae5e00a20cd569e17c91cbdf7f1d5a9e1e47eeef297c3aa51ab6e5b2962087af57b3f0f43c2f22b6247717e |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_fr-ca.CompDB.xml.cab
| MD5 | 24e6f04053bd7568e7e50dea7ee6af68 |
| SHA1 | 4bc3e0a58cda673114ae3283ce7a6437e7660edb |
| SHA256 | 42351f8d85d1f8789a337ecfd85b254e65a767232e89878ba3182aaf68a47e6f |
| SHA512 | 2fea27f7db72b7c999c9b6fae7ab51802f1182bd731d9acefb2891e8fe18b5013b2e399c77176e49ac9f27bff542812736dd97e6cc06bf477596620f5c604b46 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_fi-fi.CompDB.xml.cab
| MD5 | 87f71a1fc29e28a2e138d49bc82a43f3 |
| SHA1 | 14f2a3a85162e2e7932c69a95e4ca2b0057ffe69 |
| SHA256 | 0c95f3c316cf74e4b46f1d1a43f718ea47b4c15ecdfc273042f660c98bdc254e |
| SHA512 | 183e2adfa9afa4fbec28968af5e09e207fa3403d15f54c2d666ca348299eb57c4ccda36bb5a6e70d6f0b7ed44f2df160b997439144b3fb5143a782ab275e22ed |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_et-ee.CompDB.xml.cab
| MD5 | b75b777b8743bd509bdf9f59825823c1 |
| SHA1 | 8a474eb7b01206ba88aae87b287dba96a44e2e47 |
| SHA256 | d7099d9a6757b428e82b8100ce2cbee77d4c359ff2b2d27831a155e9cc9442e5 |
| SHA512 | 31ab7a4f2630dd84121b0ba10fb6b7ef1db2f5dcc4b9d098680c0b018b086b16c322fa2561856a1a6771cc19891faf808f682e8b8c38466f038a1dddce70e559 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_es-mx.CompDB.xml.cab
| MD5 | c310d1bf613219c29ef7325d5d7c3f34 |
| SHA1 | 93ef60383ded86ad5bca2060c6854c1b6c7a8e04 |
| SHA256 | a0d8284f08bf728e4a19bf14b0f51068d1fcecf5cc277a2835af9b3f5221d6a1 |
| SHA512 | 8083605ace9a462a4bdc8ab156e3d82ee744c9d6420886ee0bac5f3911ab81c5499195443d4ec7a3e5cb55099fc57daa2518dc7475668ab0a05c0a349e810888 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_es-es.CompDB.xml.cab
| MD5 | a1ca8e6d8c9b3852f4a67dc892422f36 |
| SHA1 | ba7b2017d6fbfaa38e1d9c0a7b9a849df9139869 |
| SHA256 | 7c50b8420c8b0cdd48457a03fca407b940841a47c7a09762ee44b9dc1b6a8370 |
| SHA512 | 7dc3bd971f9bbb5bf055c229191409323289a10236762751aabf2a375c85209ce517bf78531f3914ddaf4258158ea0f7c4e2585a611d4c9f09aebd8fc31030b5 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_en-us.CompDB.xml.cab
| MD5 | a83112f73700b04f7e2269d5035ed7d7 |
| SHA1 | abfad299ed2275cb7318843ccb55f8107afe08e3 |
| SHA256 | 7ff228a96ed33e47464dd7cd21338727b00d71318d23877d3670a0d0ce4bfb94 |
| SHA512 | 17d5fceb18533e29a8ee23d282223afa75ba51f45e0197a96256671216015e1a6c35b085d338a1bdf2303f63e3f68827b37bcaa27f63fedeee6256cfcfad45f9 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_en-gb.CompDB.xml.cab
| MD5 | cfa403ca31e03930ef86106747141e38 |
| SHA1 | a433317ec46c65d5ecf60862bf1b53cbd93a2bd2 |
| SHA256 | f59acd90823da247b61605a22eb73f90ce4dfc31664398495e89e634dd519d31 |
| SHA512 | b09c1cb61e65bd1076696b08f9af8fa071b539f32e771fe631a28ab19520013b329498b52373532dc01abfa9d1582971ef858e9ed5e1b1f204466f45a1e2205e |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_el-gr.CompDB.xml.cab
| MD5 | b3a1893721c1a2c7032efbf366f44f74 |
| SHA1 | 1745fabbe0e5497eb60e822f6b1a9cb7b05cef08 |
| SHA256 | 2bb68feddf18ef7692b9dddcdcf650632712e478a7e58cf226f4a1343899f9bc |
| SHA512 | 54321d96f2c961013d39b50a0317f2bfe39a8d64a679b6aa70a28f61e82d8c53f3dd9d2239129b43ab107317c850c30754dfd9749a75c5315ae3495f29358d48 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_de-de.CompDB.xml.cab
| MD5 | 7e21b40a21b06403e9612cc73d46228b |
| SHA1 | 2ca64382163556ccdb02f5123faebdc4daf22c09 |
| SHA256 | 051097420c09aa3d7348dda0872092ccd9118043ae20e56725e42b73c3dfd42d |
| SHA512 | 33074c263febb4a07c7a01379ee46a52860f42f3926ede3c320cdc7e015906616501f9b1c28be4816201a102267867250154b72877d80bbddf4ba68cdb79beec |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_da-dk.CompDB.xml.cab
| MD5 | 24436a3af469e98c90cefa37409584d6 |
| SHA1 | 1b1df7cb3b15a31721ad014faceacd977b0a4567 |
| SHA256 | 7ce7e1e864e84dfc5eace134a236e9312a7deb9c3f8413a43580f86a8f15019f |
| SHA512 | b14ec01a13944d3be427059b37de3ff70f9e256aa4220da76dcb77d97e84208970cbac1ff28ed635da684e6be5560ea62d13f40a86b252b6a3a301037d4783ed |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_cs-cz.CompDB.xml.cab
| MD5 | c8b7dbad3b2d31c56fc6c35047988bc1 |
| SHA1 | b0817adf413d287fc929c5e2df1cacc3455ced43 |
| SHA256 | e8ce236f1a9706fceb6db46d1e89f7ee1134550c0fa767cec46acf788a1adbb7 |
| SHA512 | e09cb1213560e885f1fa9adfb0578c1e5ac2bf5b3a663242d19ad6f8125f631d23b512af03346cfbb716f91c6570cd39a65694720cac6504b3bb9c40ccb80940 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_ca-es.CompDB.xml.cab
| MD5 | ec32e5f5fbae4cea7d8eac9ec2c4da3d |
| SHA1 | 6203503e8f1f710973118dfacefa1973268f4970 |
| SHA256 | 4cdadd73a1bef82f578c9da785339572561c649c9bdf0cc80134aef326644461 |
| SHA512 | 90b01b8d8d2cefa9e2c765ecbc1f4d44e088c9bf4f670236b7b80334593e04c414fe389aaf9f8601402d68c964f5e1a862e9da0ca32ce9af23fc19a22bcbd6dc |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_bg-bg.CompDB.xml.cab
| MD5 | 6583f80c152b3144a5cdecc99795214b |
| SHA1 | df52ee426687262b5548d3c724b4f53ef6604839 |
| SHA256 | 03b31d9afa1c55d3d5452bb9c69b6688d276e58221b8eda8469144aa019eb579 |
| SHA512 | da8c3fafb716e5b3f7e339fa59992b73463f6695571cba1711d402c58e14d1734ba26da7d1e2cc55d664d5469870f14f65652fb5ce492985fc5b2577602d3da1 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\DesktopBaselessCompDB_ar-sa.CompDB.xml.cab
| MD5 | 4c23e3473262f08834b8841ae2a52ba2 |
| SHA1 | 5db8dba4f97e55361fc24c1b1694e9571f161183 |
| SHA256 | fe95f47d1f5227829fd03b05c896e757cae92ef7e5bf53ac89b8bfec16eac042 |
| SHA512 | f9aa2703fff27df1198ff4e20cd7f692e90a09b8a664d10fcd77fd979d7545282aa1379e3e3144effa3b71170238215eb1f2389c8ad488a67ce48ada357d62d3 |
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\$SysReset\CloudImage\metadata\90ae2b83-04c3-4ea5-8685-fd898ec76d91.AggregatedMetadata.cab
| MD5 | ac8304d9dd93aa844e6a80ceec3bfcf6 |
| SHA1 | 25d8a0e335aea196d69a21c4b64fef31a2ecb49b |
| SHA256 | e5a3fbb00d6ec175f3912cbf333614034d088ee665cf276b8631b309714f96a6 |
| SHA512 | b415bb722ed5f6db287c8beca06ad6c4a9006c1a815b224b14ae55b85fe3f0e1b72db355ec7969eba9fc7d12cc3df84746dd81f6a478f9984e0d2ac7b85f8c63 |
C:\$SysReset\Scratch\csrss.exe
| MD5 | a976339058116fcf346437d797c7eec1 |
| SHA1 | 69a1dcf6a41bc750cacec3185c99839c079275bd |
| SHA256 | 8ebf4096d28a78e8ab36e5084784acc90464eb4a74d972c942f147ea59e5134b |
| SHA512 | 72bac6ea896d9b7f817ef5644adbdea80bc7f852be124f08487507a4507fb0c0aec167ec03b9dfb8c4ede7f0dbcbdc8343bd3c114eea62bb1b842160fce324a4 |
C:\Windows\System32\Recovery\ReAgent.xml
| MD5 | 606bb04b79c722de9b08833316da196b |
| SHA1 | 0b2721425831ceb6a660f44452d009d4e1959388 |
| SHA256 | 4d2b43d964d53c7c65c36ed9d638aa5c272e54c9f861344c3eb38ad4ee64a512 |
| SHA512 | f062c5c907431a7006c3a172596967ce7895bd8f11de7b42549f6e979930a661cfd2604296533cc257796e69cecf7d2e62e761e328904a10a1ef1efb56a384bd |
C:\Windows\Panther\UnattendGC\diagerr.xml
| MD5 | 2ff3cb48098a371025bd35627e0ad18b |
| SHA1 | 45e73c16d3718ed33fa11987f23d7621102a96eb |
| SHA256 | f5a7335d27c89072fc657286b1eb4203ef39fabfb40ae3e17150fc42f21346c7 |
| SHA512 | de30b7f190b9cb2d78843f29c3cc8460c47d81d9dae78acba1133cc1e42d6f52eb6c4291b161abb1429f48a88da96cee4e55938397f10e181464d59439ef44c4 |
C:\Windows\Panther\UnattendGC\diagwrn.xml
| MD5 | f46ca122746cf66a7735a71ffa145f62 |
| SHA1 | 0b190aae384f53bee055a789dbd868c60f246501 |
| SHA256 | eeab26bc6d25c9d40664fd63dd438a46439314bec5d460d1319411448e6e8dbb |
| SHA512 | 9d639570547e2c9e030eccf6b0556a5bd2ddccd0597d74c90002b7648bdd4c5a42126575a23c5b667c971874ab9e89b4f27dfd83d781c8ace517f4b9f50b2070 |
C:\Windows\Logs\PBR\ResetSession.xml
| MD5 | 3f13d75af0ee3cfcda4f82d98719f06f |
| SHA1 | 9ffe54bf0f0dd28bb295d76c27c7caa548f39a68 |
| SHA256 | 7f1ab4990396dab6c70ca58da8f103b15deda89096c884fa62c499403187554f |
| SHA512 | 81d60c33ac31f30f50e644f0c6bbd53bb89591971201d52f130e08586c2a961637048aa13ae08ffddd495b0eeeec7cc98f25a1db3db6de48ae50533e1f8a6fe1 |
C:\Windows\Logs\PBR\WinRE\bootstat.dat
| MD5 | 3c08dea20e350ea34f7309e856576428 |
| SHA1 | d7a048ccc07b4d16afc4d778d5601a067fb151b9 |
| SHA256 | b7bbc3f2463000f52eadcce2e262512dc79bbbb3355c62c734f18db57e0fba82 |
| SHA512 | 1c1cdd554cbf98dcb7358808cfa2682bd09a596e24a3708ab73e379e5f8ae7dc394b8e88824589327e2f67487ca19dacba9e3288993e2e92463dc32aaef67f9d |
C:\Windows\Logs\PBR\Timestamp.xml
| MD5 | 75720c403d57d188db40183385219803 |
| SHA1 | 91aca8d220ac46a788a7478a50511f9da79847f6 |
| SHA256 | c2464f286ab6b8b534385064f0f4d770ffe040be4f1b5c3be340a4a511238b70 |
| SHA512 | 47fcb2e3f02190cfee808ba6dc4d4057946076725a2e1172c4b9ab70f7ca91b7de2126047ac20491c3cf1f73971f55c9fa91117ab4fac107041af9dc3102c482 |
C:\$SysReset\Logs\setuperr.log
| MD5 | 09efd6578f801457a55f8663fa8d09b2 |
| SHA1 | 81dee466080d81484adca57dc2a0b6f18acb3a20 |
| SHA256 | 08130b319e06fb8ad9e27768e219942e725de81f3895ceb0c7b81fae2a54acdd |
| SHA512 | c053d1198448bb6df7978e8a3c5c7b65de7d79c4167c33b2631b8a717ce72c07b83a621288bf6318d39f65e3e1ecfb1f9132c6a43e54a68087316c1a62b2478e |
C:\$SysReset\Logs\setupact.log
| MD5 | 77ee2f9d3eac2790fa22a8d9d14cf29a |
| SHA1 | 803a334b59edb78615d38697f6f8a4e97a7b12c0 |
| SHA256 | c382318698d96d44d1190673f04d3a099c2fdb75747606beb131e7f3f2aa3d10 |
| SHA512 | 02ec8c10d986617dd680d24166b8ccacda87dd03eaab278ebe80fbbc9c6f4c7a87cdf80824628eabb8d2c0971c2d55f9a2df1ddb24a04a40512d38cfb854e3c6 |
C:\Windows\Logs\PBR\SessionID.xml
| MD5 | 3105d96cd9f198ca8986f4255789a09f |
| SHA1 | 5247bfce652665d6831f392de47c873953618ec2 |
| SHA256 | 732d935d25d2db004c1e77ebc3040325562175ee6d76399057ca81f856c15815 |
| SHA512 | 9098f665e199174a70d4c298354498d70caa32b1ecc26aa0458beadd0dfba12a20bd4c92db5bb5bfeea2f56a2234a69a3c264aa7cc114e122c5579518caaba93 |