quasar | 9fe210a11e62457a2913c5501e50ef80d2c8cd1120d938432626eb914909f801

Analysis

max time kernel
246s
max time network
247s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-11-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inversin2.first.ovpn
Size

4KB
MD5

8456942100eaf536bb9edf30afbe3b64
SHA1

de1ebc945ac0d5cc7161370d69b763b6211ac2e7
SHA256

9fe210a11e62457a2913c5501e50ef80d2c8cd1120d938432626eb914909f801
SHA512

49283477fda01d06d3cd2107ea37687620a957899284f613ac81a713ec1b27fafeac320c3476e34e2a8c63b169e7e671e76478398fe955282f607201751f9970
SSDEEP

96:6aNr6IA3AeOY6hXrVfaCy+tF4ucaLlK3Az6E0H61Wdc6jlcx+V7Px6i6s:6aNr6IDRy+tWucaLjZ04sc6WxM7Z6ib

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
5000

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.127.1.127:4782

Mutex

27b4bceb-071c-49a0-8bca-3a989c114a17

Attributes

encryption_key
EAEDFD6C6C0EA0BF7F7A63603931D231453DE1D6
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00280000000451f8-351.dat	family_quasar
behavioral1/memory/5800-354-0x000001D5C5C20000-0x000001D5C5D58000-memory.dmp	family_quasar
behavioral1/files/0x00280000000451f7-355.dat	family_quasar
behavioral1/memory/5800-356-0x000001D5C7A00000-0x000001D5C7A16000-memory.dmp	family_quasar
behavioral1/files/0x00280000000451ee-658.dat	family_quasar
behavioral1/files/0x0002000000040cfe-697.dat	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Quasar.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	Quasar.exe

Executes dropped EXE 1 IoCs

Processes:

Quasar.exe

pid	Process
5800	Quasar.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

Processes:

flow	ioc
116	camo.githubusercontent.com
118	raw.githubusercontent.com
101	camo.githubusercontent.com
114	camo.githubusercontent.com
115	camo.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\wf.msc	mmc.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DllHost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
5856	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133752543868731060"	chrome.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeQuasar.exechrome.exechrome.exeexplorer.exeOpenWith.exechrome.exechrome.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000200000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000a241450f5b25db01e465e72d6725db016a09fc283b2fdb0114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 66003100000000006559762310005155415341527e312e3100004c0009000400efbe65596823655976232e000000d150040000002c0000000000000000000000000000002c1a37005100750061007300610072002000760031002e0034002e00310000001a000000	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000200000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e003100000000006559682311004465736b746f7000680009000400efbe57597376655968232e000000050904000000020000000000000000003e000000000080d822014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-870806430-2618236806-3023919190-1000\{E60E27B8-4988-412A-BCB5-B44611944898}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "5"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

explorer.exeexplorer.exe

pid	Process
5384	explorer.exe
5864	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
4196	chrome.exe
4196	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Quasar.exemmc.exe

pid	Process
5800	Quasar.exe
4612	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

chrome.exe

pid	Process
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

chrome.exe7zG.exeQuasar.exeexplorer.exe

pid	Process
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
3124	7zG.exe
5800	Quasar.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
5864	explorer.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

chrome.exeQuasar.exe

pid	Process
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
5800	Quasar.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

OpenWith.exeexplorer.exeCredentialUIBroker.exechrome.exeQuasar.exechrome.exeSecHealthUI.exemmc.exe

pid	Process
3800	OpenWith.exe
5384	explorer.exe
5384	explorer.exe
2932	CredentialUIBroker.exe
1388	chrome.exe
5800	Quasar.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
1196	SecHealthUI.exe
4612	mmc.exe
4612	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 4196 wrote to memory of 388	4196	chrome.exe	95
PID 4196 wrote to memory of 388	4196	chrome.exe	95
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 3104	4196	chrome.exe	96
PID 4196 wrote to memory of 2136	4196	chrome.exe	97
PID 4196 wrote to memory of 2136	4196	chrome.exe	97
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98
PID 4196 wrote to memory of 5340	4196	chrome.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Inversin2.first.ovpn
1⤵
PID:1860

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc1898cc40,0x7ffc1898cc4c,0x7ffc1898cc58
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1840,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1988 /prefetch:3
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2120,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2336 /prefetch:8
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3848,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4948,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4916,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5336,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5592,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3512,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3388,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5664,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5916,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5812,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6156,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6192,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4708,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5088,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4500,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5936,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6516,i,1326264328853914456,6201746595737847505,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4180

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3556

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap21226:84:7zEvent15695
1⤵
- Suspicious use of FindShellTrayWindow
PID:3124

C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5800
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12"
  2⤵
  PID:2800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5384

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1020
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:5856

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:1388

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:1808

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:3424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:5864
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" "C:\Windows\system32\wf.msc"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a54845a576c9e98a49700156850517b6

SHA1
4d97ac0336780b8ddb760b4923d8d2b2e8e080b8

SHA256
39b628d94cb54b4f3c16e014394132e4806d8b95dee8e3e6be5291d20f2b4179

SHA512
f60a1306198fae09e8f46a07a5eebef8486ad55e8f223dcae962a2c72ddc01571f5c49c5beb7257befbee214eb68e80a84eb7a7388f33e82790259b6976bc3d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
41KB

MD5
503766d5e5838b4fcadf8c3f72e43605

SHA1
6c8b2fa17150d77929b7dc183d8363f12ff81f59

SHA256
c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9

SHA512
5ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4ffc1bd9d862cc716de699124f0f178a

SHA1
f136f12c6ecdbbb5d2e9f2d66d5da81d3ce9a39b

SHA256
01d4d35ee5a7d4c51e2199503e70a058ca457d11ed78c2aa428ddfc77af5d74e

SHA512
76d6a4423e4eaf2a6f487ce2f3fb48caed44e0ff3a1ee5017e88b287450a5e3534e1723b5e1cab31de30345c10ffadd8e37f1857e6eb4d0b8432d04ea779f9b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5d5ae069b1d33dca09bb53df09f3bdb2

SHA1
81c3e90ee6b97ab7153f6b2ad544de793e7c2649

SHA256
e318c1d356b963ba5a8596f1e6fa650778ee9a785e038caea494584db4a472f7

SHA512
854743070e088deddc3ebb6b81dbb80d5973e7e2a453fe665f1afba731a7449c4eab6d53f7919a03728c04c17c715463787987655329c43b2f85d88a33a369f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
315795eddb1b1d7ba425af9d402a9656

SHA1
eb378291f2ab6f65f12fdf54b70189870ac1c4d8

SHA256
ddfdea014c09bc95e6a288d79d267412b9da29b8b8f67a3e1267453075468baa

SHA512
3e0fbf9c4cfc039b79a53688e82e59d12e10a194939b9048ba46f3bdc9c38adb575b2adc93fc462815fd42825477abb444ddf410d1b8a0e9ee94fb0feeb26191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1cb83365-b235-478f-bde0-e483d54c41d8.tmp

Filesize
1KB

MD5
8a7bba468b71739b77243674cd0ae7c3

SHA1
cfb5fd5486acf7ee194d3dd0039e84431ccf1647

SHA256
8d52c7f5f45afecb3c477bbcda21c92a409c420576b75405f1d9a250c75965b3

SHA512
2f3275d0dc807549889345ccb1afbe7653c0f995385e13d3468ba40b28a54d09a9b0555683b60beb17ad9d7481ae37241b5c740ed7409ceed3117a7c6e2e7ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
1f43f6da0665a5bb25399845d34bfbed

SHA1
b15c881523bb551917c42217fd7d1e43c9fc842d

SHA256
94e58b0ce648e8124fe691c695b7b9e5a98ca8277328914e519bfdc68b0826bf

SHA512
a7f426aae13fcc3e463b88eb25c1b8bbcf0b653e25c531d495db643a77f95235d1befea3f7efb830dc7ac3b871a195a7b2324c7785a802cdc69b18ffe6479357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
c730a04653d7524916f99267f600c0a2

SHA1
46fc30c2838fefe2f2f3f7c68776aa8fd4e7de49

SHA256
62e0cb51fd8e5a2b3b94d4e8e80c6292fca15057ccd312dd0cdd9b9f8b0f37fb

SHA512
012cf6360ede15b3fe0ce4aabde8ca8d96fd9998a064aea791e950da09e6a8e6b31cf2787ed40aba55323943bdc31cf2151765a40688a06f6c3bf6c5f01ea897

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f887fd7773a95282ee6e92ce7a6869c3

SHA1
3d834d170b63803dee5f28ac4a46c3b72abd36fa

SHA256
c2da780637905210a2e4d33c9605199734f8b7fb8208d61e930dee81db8e99cf

SHA512
1ee0e72cf69a823257ca986d77ac8f6d6da3241bc79ee9f93f8b695a2cd9de04f9243e05910a85b362eaffabb2f3d0a38683ea300afcf60cd5b4ca11908110cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c40794bbcb325f9db691dca4a4c0a362

SHA1
b2b6ee1dd63ec8d84dad142d3cf0a0771f44cffe

SHA256
a3b3a25b222343780a21f1570bc5e1683fb04f34c13f62049208e191ff3fcbcb

SHA512
4a606dc8b79e4f0a6b4623ac7e27753b7f9bb1d6f69deb0f81fab659b83f0d2bfc83f2e9404c7742fda0ee2787ed8f2a776c2c8b01cb9c1731b57a8d48ebc057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5f3ce74e50127e4b872797e27d540316

SHA1
9be9e45db3f08891f15922f649580d7e4d1eb9ff

SHA256
ee99674b73e58fe9b5c83fbac3d1d56b7f5549b397b855be6fea8b4e804ecbf6

SHA512
8974ffc71e48fb43b852dcdc35bd9550b62f45e4f4b817fc1e3c860017cc5db0fc471fd928449113de35516b1f46cba298d46a9b134d79217ed4511b18efc9cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a84222c9533ff623ef86de9283940078

SHA1
8c9e66ab7a2e3cfb0141da0da1290fc73b1341c8

SHA256
19a1070af5f8330a4cd98fb6cc274920a50c8428b750126405ed691b0b8350fa

SHA512
dfdb816cfb9a902ca8a316c4fd506f5d8ca251c3f346e78da93b1bbddd17d5d9a8ea304a1b1325e893a70cf3310f7d2cdbfd080f4309c7cebb5e065024205f87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5c51c9d3c63df381939a205822260400

SHA1
f70018f21e303c9843cfd4e227527e68f9ebb021

SHA256
1eb211f71d617425201e0f49dfb9abb82ccfa8c4e40a8f932c7cda3217dc5d76

SHA512
e3b249d8b3e1d984306ad3c2678cfcf2e020c82854c79de54ab7007e9e79bbf5175357c620eb0166f8cbb08828fa128d17f2e6bd7eebbefc576d16db1521eeec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f3ba6200b2c59e7a1d447fd3e3dc77dd

SHA1
e29545bf5f616db8ae40c74d596e4dbaedff8411

SHA256
e38d277b42580fb2360e6d11c4b17f96a6d86067ecf47503e376c189dabf0d90

SHA512
1969a6879f63153fe10962dd2893d3a3f2dc58f57726d1ecb695adbf71ffaaa3294db790842293baaf12e193527c6b4e494048b9beee6a2bc0b58bc9b2c0ef4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7c09bcad82625d6d4806dd5fc7c6c6e9

SHA1
3425619002080ab04f6b6859fc8c882848c78876

SHA256
73145134b92c8e86de08915b4831eae5b8fdcf5b463f8b7c933e9d26764f6429

SHA512
64393feb5d48cfceb8add37efcd6002b8c2205f03a5d4da5d6c35e254946114dbbf0a4d8a7a1f4b55d7a36ff77a87a19131adab7736370b848efae4c291a2fc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
70f6dee67cc6b013b2552210b5899e12

SHA1
a5835092a20364491c7eedc172b5023dfba46260

SHA256
68579e5a6a28a0610fbba247cf9d2901e9db8db3da0926206f957f2ac3e33295

SHA512
95af0a53825d746ac529e457f67381761356f4e4086cc7a0bb614fb8c1b9730e27691b20aba53c0ce0c6a2e2c5c77200a0f953b8a1568c7e482508850bf08f1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f660586c873257974ba851f2244832ce

SHA1
636e06ddca5d9a2d6db2ecf23412be9ecbb90395

SHA256
2a8e3d5c86934cc131615aa15092b5ed673c52711d82b05335e36aa35ce2e86a

SHA512
2f0d3c0cee18fbcf38769b0bcc8ef549a872c32db433fc53ca94ff4be0834ddd2ba72de9525bf9e99d4b1de82b22514ab6577170f1f220e2b13173304a6cace8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e3bc646f317bd755fef5cd8caf1917c5

SHA1
30deab239e982527322ca1c24e553c79cb307c8d

SHA256
17015bf9cb7c1c2415b9e45b8e786fb0c2ebf7dfbb785d7929c233119245ea89

SHA512
3c14325b005e61684f253172bc8ea5597b2ee4885ef1329bb21512fef3b71c5be1beca335da3aa65671dd1f28ec8dd3314d0e41aa5fcb955ed92ac9e747cadf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a38e7959717bef736810a8c0d897ea22

SHA1
7edc97819c6165f6c9f5c4944ed1fd1e238b973c

SHA256
3786e777cdb47747f3f7ae9968234495a9e504dc7543ff2bf237815b3cd7ea18

SHA512
c5a773d161ee3e3a4100244781d661fa3545c518ebdddf209cb00e10a08b7474c4f6f5e8ce1c36552947ba7485bd00f0994715b77a828a7a017002e21cbd1448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8cc267af9f2e7e30901ac84f3eb0c1f4

SHA1
f089bf5183a232e3b2d03eaf98d37bc1380d97bf

SHA256
5582774596bae55782c2a2f9f67d0210a6398bbf2ebdc74f8c053a9c83a0bf05

SHA512
cf63134d728a447a233f5e882c2e8b26f11b4b88d4e09ac9c64acf67907592a3ff175e859b3430ca9b10ec17bbb9ec6ef9d4a4f229eb0eab74ac9f12491b4b70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
685f812bcc5e6813b41dd5894595ee6c

SHA1
80d39f106995111ba186e67a152bd250526959b7

SHA256
10ae1e42900407337437cf363794cabd18ffcc19870ddc4268c68969bdaa2f00

SHA512
19801631a0125001902e360b6705b0abcefd332a15119820e0133b877df5bf657ddeffdf62dadc8de08bd7bb9412dcef53098ab7211c422f89e048d347aa1e9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
839940e02893b33f2f4d77938ef431b2

SHA1
ed40b67b5907f48b009e019fe8fa58759b84815f

SHA256
7f084d69c1b6759b8b58fc5b9b10066e10df77d56ad4657dfcbf0143329e1f13

SHA512
ef7ed9cc02ff40bca2830f5365198ba58ecba0b097e11bc47f35c2b2fc8f5bd2ec17363542f90aab4bf0b1d9c7d9e12913e690436c874246a74578d001ffa8ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c001adf5bf49939ad3f43e642b2547ed

SHA1
914ac2780f7ee7bce222ad05d501104b88e87eea

SHA256
c91b7bbb4cf73b5822eca7438b238a802cb321cec55a36a5cfa35dbc010c6652

SHA512
c58f02f3627c3a64d8d13c275c2e72feeaf76a8abcfe90cd3d2ad66ef2f64bd4a684212408ce3b4b54347c048dc9df5d7c1e7e740dd172e6c141f44636caddb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e392aff8d7f39856662986308ffaed2e

SHA1
c0a80e7ac2de2ad3b674302485a06a23b0b982d6

SHA256
ee34629cd79aefcd2805de70dbf1104fe5b3012612b434f21eaba960e68ba1f7

SHA512
f6cd04a89c5646ef56002b17f71aa857618e43bd116615e9f32c19437fd696c5991496ee411b141f61db90b3064a2de9b0ca5afd01ee5162f7eae980c2ed1d45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cb5b7f582eff69e8d130a9affda13a77

SHA1
e136bfe7c66abfb3941aad96bf81f7bd26d19f43

SHA256
9b4c68875a6c8da7461b826e8929bf8a2669fa9722a33496f8d719fab8715f0e

SHA512
18641eeaca3528689021bff798d61c23cbeffdb519167d0246e5356472a68123baed7354cd7c3ff83ff30376ce917c1f9444c5b856c18b7a3834d8d84446be27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f42f1d0cf0b1b9385059bba6256c13fc

SHA1
af3809ccbe7f45d22cf700ba4a8b96012ea5414f

SHA256
1aec43c08bf71c4f2822e0ab00836858cadf2a1c3761ac4c7ee35c20535b14e4

SHA512
e75d32b1ef5a48e36a69f2b454bc5601b5456314a742cf05f16e4942ddb13a27eeeb360924818643c35c1bfd30a7ff37c55b8fd34b6c4f954eb871d92c17b152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1d5d161f4b1db83976d163372fea9aae

SHA1
f16473538ab119d10b5676483f7e716f311993fe

SHA256
94054431f7f9d005d95d0813ba3a07f4368937f28a6291a1eb53e80cc1692bc3

SHA512
ee36ea15ce8bc5c305495c2e552e038205914255121561722eddff86799a289423c9190324ab1d4fab8bf3db7edf7ad0163e1328180101812d63bcdc94cd811e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
66bc32433d06541ae34d57eb903db52d

SHA1
de80721e67f644b9541ed554b2337676c12b00dc

SHA256
799cd87b27d3604b0c0c09ee399c60a34c35638a58fb4a2b6b47ab57e40e6318

SHA512
8c370593180b20111a49ce4675f0579ee4c8f02830a03e32131ac7cd82ee38255a73fb592c564fe32a5f166fbe5abbcb1520d23350eed7f1ee681ef0f9499c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
353d65f89e9942a1b0a29a7536a51db5

SHA1
aac987ff720d368f97cd349a7165d29436c483aa

SHA256
aa7b070eeb1d96c05bd390280e6d8568a7f8b01c99a0cd3231a1e5a2ffe4620e

SHA512
c1064632850d347333ec02947d6c2a0dfd6baeda27d778ded26a1aade04c2bbdd82e2749aaed16923fb62204651a068acbc2be65fe702ca250b7872bc3e62f0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dba721e2a17d3c4bc2b0b5c9209bd2b5

SHA1
2c4b45adef68c3d9d395653aafefacdc5d7600a8

SHA256
7d0609e0c6b290a700027c57542fab2ccb84ea825450c9c9fb7174797d553c2e

SHA512
a45cb969888a042ec8b792070eb2f16293c3565f5debefd4e5a26c6219355f0a772a64a6b9e61ef66e37171ed3076e34459ea46a996c914aabaf826a5e9fbb5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8acc5e3d64e77fc191eacd93ab33c82f

SHA1
de07cb2912077372181c68922d22a5840714647a

SHA256
6c92be8eb572c8e305498d7f7feaafe91ddf88c7f7a2524176ee884734772def

SHA512
71e4da629ec5c1473cf9b467264573252bf0808f5669b28e9c16bfa0be03a2dd95a861c403c482ad5cc8d4164d700a14ec9173af5e7fc156f53dd5ce320f6a50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fcd8fcded9175d4398f505f165968e17

SHA1
47fa7851201d449952c3b2a6c7269cd89e4c1899

SHA256
fd75672275974fc63bb14ac4955495dc00fa40a9c9160a3670f2e0f74a61bb3d

SHA512
ec35d29c9292c3e2e24b3fdbde64c3e6c4416544060ef8ec085de60fd74495b2af715631c630e5c0b846ee61937e6e0970ba56c1dffa41e7e21568f309794197

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
41610a3238aafa647eba65af9cffe5ec

SHA1
c68208f616319917ba8e2d60e1b1a2ed26699ad1

SHA256
e937710a86a0d9e741d8e8c26c6aed8a2760a96408cc66b6481ee0b7f95b1493

SHA512
1e4ff33e363383a57c87c5ffc78fa8ed81b89290eb4f2d608d74bfaecfdbac7d4fd5e4926fea8025fb5bc52703636d8a7877611cd8888e422f577032a710d629

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
10340dacbc34d4e5a2aa5938724b1cf7

SHA1
61702c5c06d6e86050458716e8df7b4e21cd2b04

SHA256
d8ef117a61d0b46c7f557969201c271103e94c7dae45081c3cc21858259f912f

SHA512
4425148ec3b4316e6e675b09f703fe574f201b4e61ba9605ddfcbbacb0c54612c31f8b48a8f9f4765429f41593a958a43576748ca4279538fbf6a47df99e90f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
65c59c59973bdadfe137722194603d36

SHA1
faea12b01104d90f8664d80ba94b80f71a40c9b3

SHA256
f5cc1f9f6fac3c33f319db0d49cece0018ceecf57db5840a3c11bcbd24bc1ef0

SHA512
799b4a407efbecf712152d8df3078eea744a61a488158ebbf599bee9b796fedb3741f7ffce9b6ab32775a4274e640126eb4a8cbb59f426daccff8e0ef23c037d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9703b118e625b09d3d6a0d59f7f941dc

SHA1
2f6766a09d23aeb33ad6a528309a96bf8d562cdc

SHA256
3cf40e98a2adea42e797e4d57575a9c02f930ed001e7b50e23232484c6fb6c30

SHA512
77148d432f745967dc1a9216f1e9ab4db618a54a0ea4553612f2a17541a07c8a46f40e055218db1bca76d77582e1305fe5e388b3bc044583e783fa3e7ea5a259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
75e68a4167dac922381e70323e915d0b

SHA1
b37bcaaf88034b467d8a8f3f3150f01cabaf2bb0

SHA256
9b060454c9c9e8bb8d6184742191b46fa3367a9c72e02754a4b7ad18d2bc7477

SHA512
cfbf8412cb76d926cb4f3e2a8f98803bbdf61b58f6126600e80bdfa534e6c1cf8bfd852dc29b0353d9026f7fe70eb7cfccf3a833cbceb7e61ecef5939731eeef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
680212df349824050b011b9297a0636f

SHA1
e447bf14b7c6a41cde45fcb5538c501b8661538c

SHA256
7dbde7db45084bd2111bbb4ef7d81151409b49d3d9c828f8fe92c85afde3400a

SHA512
4765356fce940e7d54847cfc1b2b2fde1114bc88c21e822b4af810de682b5fb5daf5793b9a29fbf7361407cf3982f6dfd43370da1bc841802b51d63bdaab3099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
f4b121ca929de459ff26e5cbdbc0117c

SHA1
9a9e04df0ae3c8ef74c12a26bdd94e244152fb9f

SHA256
3c8d602a79be26d7faf71e7fb95dc85643d2a77cee45d87e473994886904e7de

SHA512
35692046492018b7bad7273cb3576ee4053736d04027b1df463dc8e51ad7d98b83b46a44383354169f9036ad320be3ce1a1faa2cb064d315d5896c28ba33e21f

Download Submit
C:\Users\Admin\Desktop\Client-built.exe

Filesize
3.1MB

MD5
fef7fc18a56919307292dad1b0481e8e

SHA1
1b4cc3b74a2c5c43cad76cf12f7b03dafe6dad3a

SHA256
d2422e4e839fa1da5bdb80a4762ba07c26c6134eb9f00e691894ec5312024c83

SHA512
6fd9b368c64364b28e35a972fe5dc25f3afc3ce13ab4bb8764c9a80018bf97b1c6e13b2026750dc5dc08909a3f7054b85c5d23ef59217489f1d7807e3132e568

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\BouncyCastle.Crypto.dll

Filesize
3.2MB

MD5
0cf454b6ed4d9e46bc40306421e4b800

SHA1
9611aa929d35cbd86b87e40b628f60d5177d2411

SHA256
e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

SHA512
85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\Open.Nat.dll

Filesize
68KB

MD5
cc6f6503d29a99f37b73bfd881de8ae0

SHA1
92d3334898dbb718408f1f134fe2914ef666ce46

SHA256
0b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5

SHA512
7f4c0a35b612b864ad9bc6a46370801ed7433424791622bf77bf47d6a776cb6a49e4977b34725ead5d0feaa1c9516db2ca75cb8872c77a8f2fab6c37740b681f

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\Profiles\Default.xml

Filesize
1KB

MD5
bd817c177429cc8eddb515176a519638

SHA1
6a1113e208dd97cdb7fd338c6a683630bc36b2bd

SHA256
455202a6dd9b300c7c143f8c8a33015245b824ffd0ab7783cfb8b5e36cc60e23

SHA512
fc09f20f54d4fdb35138ee744e51338bac2d4374d584cc77995c5fbd5f83ff0f3c841070363ae7db4a2e77ae123577a9e8fcea8728ed34d85160c7b84de85069

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.Common.dll

Filesize
62KB

MD5
2185564051ea2e046d9f711ed3cd93ff

SHA1
2f2d7fd470da6d126582ad80df2802aabd6c9cea

SHA256
de930a748e4dc08c851ba0a22afce8dcfd0f15f23b291f9306c8ef6ccd7460a2

SHA512
00af241c1f89b478e66d758db26ed0a413b690d695abf91211b5cbc3985133632327ea0fc41140bd61d02271b6aa278a8e8f539d8ca6ce94972aef50c1a9c868

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe

Filesize
1.2MB

MD5
12ebf922aa80d13f8887e4c8c5e7be83

SHA1
7f87a80513e13efd45175e8f2511c2cd17ff51e8

SHA256
43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

SHA512
fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe.config

Filesize
176B

MD5
c8cd50e8472b71736e6543f5176a0c12

SHA1
0bd6549820de5a07ac034777b3de60021121405e

SHA256
b44739eeff82db2b575a45b668893e2fe8fdd24a709cbf0554732fd3520b2190

SHA512
6e8f77fcca5968788cc9f73c9543ce9ab7b416372bc681093aa8a3aad43af1f06c56fcbc296c7897a3654b86a6f9d0e8b0fe036677cf290957924377bc177d9f

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\Vestris.ResourceLib.dll

Filesize
76KB

MD5
944ce5123c94c66a50376e7b37e3a6a6

SHA1
a1936ac79c987a5ba47ca3d023f740401f73529b

SHA256
7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a

SHA512
4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\client.bin

Filesize
3.1MB

MD5
f4d16cfe4cad388255e43f258329f805

SHA1
fe7cc6c9eb76b5ad97867b46d053fae601fd4a2d

SHA256
8fb6ae3496d4ac025eab443d3e322b0faa3461d25b54093c9205d35746e3250e

SHA512
867045eac0f7765e6bea51e62bc4ed68b1e81ce6c2843d2e08714eb391a8ac94c2571c09828286252248400ea5c12bffa50a25c8ec5ad9e6d0bb836320ec188f

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\protobuf-net.dll

Filesize
282KB

MD5
abc82ae4f579a0bbfa2a93db1486eb38

SHA1
faa645b92e3de7037c23e99dd2101ef3da5756e5

SHA256
ca6608346291ec82ee4acf8017c90e72db2ee7598015f695120c328d25319ec6

SHA512
e06ee564fdd3fe2e26b0dec744a969a94e4b63a2e37692a7dcc244cb7949b584d895e9d3766ea52c9fe72b7a31dacf4551f86ea0d7c987b80903ff43be9faed3

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12

Filesize
4KB

MD5
82e9a52a60f9dd983b1b10f5e6f6c26c

SHA1
33973f40f495fa68dd922fb51d8eda29830ef5f4

SHA256
f3a42061d0240a4ac28d7c7f7bc148478b934aa6c68c5e3e2fe54e51a165249a

SHA512
6ea2086d9ebb8f3e07dcc8d840664c59a18c9e3446e4a88ce2172d96028eb822e6b71277a1fc44d24708f17adefa39f25baf1be7fa5cb7b668a739b39733e824

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\settings.xml

Filesize
370B

MD5
e341552405a31e7fa52ec364089150c1

SHA1
981251e0397518ed9ba382e7fd1f3c0af99daea2

SHA256
1ecd242aeac4f9ec2514af1251650baa9e915518d4f9223c6f583e0c7a652331

SHA512
359331f8ac5b68d25f19d4520955520edbdb46a94b6b26077aa628079e14fadf662e32aa611af2c95359ab82fac3d63c134227fc219bd184a7cceda2e04946ea

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip.crdownload

Filesize
3.3MB

MD5
13aa4bf4f5ed1ac503c69470b1ede5c1

SHA1
c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

SHA256
4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

SHA512
767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

Download Submit
\??\pipe\crashpad_4196_ODVOYWUBGRKTBDKT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4612-873-0x000000001D8C0000-0x000000001DDA6000-memory.dmp

Filesize
4.9MB

Download
memory/5800-383-0x000001D5E1760000-0x000001D5E17B0000-memory.dmp

Filesize
320KB

Download
memory/5800-382-0x000001D5E16F0000-0x000001D5E1708000-memory.dmp

Filesize
96KB

Download
memory/5800-384-0x000001D5E3320000-0x000001D5E33D2000-memory.dmp

Filesize
712KB

Download
memory/5800-359-0x000001D5E3F30000-0x000001D5E425E000-memory.dmp

Filesize
3.2MB

Download
memory/5800-356-0x000001D5C7A00000-0x000001D5C7A16000-memory.dmp

Filesize
88KB

Download
memory/5800-386-0x000001D5E17B0000-0x000001D5E17FC000-memory.dmp

Filesize
304KB

Download
memory/5800-354-0x000001D5C5C20000-0x000001D5C5D58000-memory.dmp

Filesize
1.2MB

Download
memory/5800-655-0x000001D5E75A0000-0x000001D5E75FE000-memory.dmp

Filesize
376KB

Download
memory/5800-657-0x000001D5E7140000-0x000001D5E715A000-memory.dmp

Filesize
104KB

Download