quasar | b497ae4e48e97c04cebe2d1951472e0fdcb46b24d7ed7083a7571ecc3ac24f9d

Resubmissions

09-01-2025 21:48

250109-1n5lfsskf1 10

09-01-2025 21:32

250109-1dl2cstnhr 10

Analysis

max time kernel
897s
max time network
897s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tiny v0.2/Tiny.exe
Size

618KB
MD5

b9f7f125066c414f71fb9b805879a4cf
SHA1

e7a5ea344304f289029d031b012a680b689aa7d1
SHA256

d944181cf3c1dc7b02d30d4802d491a99f42a181446ce1be7710724541210c7d
SHA512

4bd845189e56aaa0ff55a321372ff7b3ab6cf68a272787371c014f70831eca56d6b03365a4f8589b1f3b55a083c8d908e9cb9f6167ac868113354d9ca436433f
SSDEEP

12288:ILEddxz9C1r0twaY0lmJZdwA8mRARNC+y9ErlfSu:KE/XFA4pAARNCvulfSu

Score

10^/10

quasar number 456 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Number 456

Ratter 456:4782

10.127.0.219:4782

Mutex

29a9cb49-561a-4d11-b619-5d042708f151

Attributes

encryption_key
AFF15AE262A0B33ED41C078A19953E1D951806F1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 46 IoCs

resource	yara_rule
behavioral1/memory/1720-826-0x0000000000850000-0x0000000000988000-memory.dmp	family_quasar
behavioral1/memory/1720-834-0x00000000002E0000-0x00000000002F6000-memory.dmp	family_quasar
behavioral1/files/0x000400000001cbe7-891.dat	family_quasar
behavioral1/memory/2760-902-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral1/memory/2612-914-0x0000000000110000-0x0000000000434000-memory.dmp	family_quasar
behavioral1/memory/1548-1023-0x0000000001370000-0x0000000001694000-memory.dmp	family_quasar
behavioral1/memory/3028-1041-0x0000000000880000-0x0000000000BA4000-memory.dmp	family_quasar
behavioral1/files/0x000700000001cbb1-1055.dat	family_quasar
behavioral1/memory/2784-1061-0x0000000000ED0000-0x00000000011F4000-memory.dmp	family_quasar
behavioral1/memory/2356-1079-0x00000000013D0000-0x00000000016F4000-memory.dmp	family_quasar
behavioral1/memory/672-1091-0x0000000000BE0000-0x0000000000F04000-memory.dmp	family_quasar
behavioral1/memory/1920-1102-0x0000000000060000-0x0000000000384000-memory.dmp	family_quasar
behavioral1/files/0x000500000001cbeb-1113.dat	family_quasar
behavioral1/memory/2788-1115-0x00000000010D0000-0x00000000013F4000-memory.dmp	family_quasar
behavioral1/memory/1724-1120-0x0000000001040000-0x0000000001364000-memory.dmp	family_quasar
behavioral1/memory/572-1134-0x00000000003D0000-0x00000000006F4000-memory.dmp	family_quasar
behavioral1/memory/3004-1228-0x0000000000380000-0x00000000006A4000-memory.dmp	family_quasar
behavioral1/memory/1964-1248-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral1/memory/1192-1272-0x0000000000BC0000-0x0000000000EE4000-memory.dmp	family_quasar
behavioral1/memory/1780-1273-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/memory/2140-1282-0x00000000012F0000-0x0000000001614000-memory.dmp	family_quasar
behavioral1/memory/2880-1285-0x00000000009E0000-0x0000000000D04000-memory.dmp	family_quasar
behavioral1/memory/460-1294-0x00000000012E0000-0x0000000001604000-memory.dmp	family_quasar
behavioral1/memory/1160-1295-0x00000000012E0000-0x0000000001418000-memory.dmp	family_quasar
behavioral1/memory/1160-1296-0x00000000004D0000-0x00000000004E6000-memory.dmp	family_quasar
behavioral1/memory/2684-1309-0x0000000001300000-0x0000000001624000-memory.dmp	family_quasar
behavioral1/memory/2856-1318-0x0000000000280000-0x00000000005A4000-memory.dmp	family_quasar
behavioral1/memory/1268-1327-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
behavioral1/memory/2932-1336-0x0000000000E80000-0x00000000011A4000-memory.dmp	family_quasar
behavioral1/memory/1004-1345-0x0000000000BC0000-0x0000000000EE4000-memory.dmp	family_quasar
behavioral1/memory/1952-1362-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar
behavioral1/memory/648-1371-0x00000000001B0000-0x00000000004D4000-memory.dmp	family_quasar
behavioral1/memory/2300-1388-0x0000000001030000-0x0000000001354000-memory.dmp	family_quasar
behavioral1/memory/3056-1397-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral1/memory/2164-1406-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar
behavioral1/memory/2444-1415-0x0000000000340000-0x0000000000664000-memory.dmp	family_quasar
behavioral1/memory/1340-1432-0x0000000000C80000-0x0000000000FA4000-memory.dmp	family_quasar
behavioral1/memory/2620-1449-0x0000000000EB0000-0x00000000011D4000-memory.dmp	family_quasar
behavioral1/memory/1044-1482-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar
behavioral1/memory/1108-1499-0x00000000011A0000-0x00000000014C4000-memory.dmp	family_quasar
behavioral1/memory/2636-1540-0x0000000001360000-0x0000000001684000-memory.dmp	family_quasar
behavioral1/memory/2244-1574-0x0000000001290000-0x00000000015B4000-memory.dmp	family_quasar
behavioral1/memory/2492-1583-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/2620-1600-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/3024-1609-0x00000000009B0000-0x0000000000CD4000-memory.dmp	family_quasar
behavioral1/memory/296-1618-0x0000000001380000-0x00000000016A4000-memory.dmp	family_quasar

Executes dropped EXE 57 IoCs

pid	Process
2760	Quasar.exe 2.exe
2612	Quasar.exe 2.exe
604	Quasar.exe 2.exe
1548	Quasar.exe 2.exe
3028	Quasar.exe 2.exe
2784	Quasar.exe 2.exe
2356	Quasar.exe 2.exe
672	Quasar.exe 2.exe
1920	Quasar.exe 2.exe
2788	Client-built.exe 2.exe
1724	Client.exe
572	Quasar.exe 2.exe
2984	Client.exe
3004	Quasar.exe 2.exe
1964	Client.exe
1192	Quasar.exe 2.exe
1780	Client-built.exe 2.exe
2140	Client-built.exe
2880	Client.exe
460	Quasar.exe 2.exe
2684	Client.exe
2856	Quasar.exe 2.exe
1268	Client.exe
2932	Quasar.exe 2.exe
1004	Client.exe
2760	Quasar.exe 2.exe
1952	Client.exe
648	Quasar.exe 2.exe
1444	Client.exe
2300	Quasar.exe 2.exe
3056	Client.exe
2164	Quasar.exe 2.exe
2444	Client.exe
376	Quasar.exe 2.exe
1340	Client.exe
2480	Quasar.exe 2.exe
2620	Client.exe
2960	Quasar.exe 2.exe
2180	Client.exe
1912	Quasar.exe 2.exe
1044	Client.exe
2736	Quasar.exe 2.exe
1108	Client.exe
2512	Quasar.exe 2.exe
2480	Client.exe
2620	Quasar.exe 2.exe
1972	Client.exe
2636	Quasar.exe 2.exe
1092	Client.exe
2536	Quasar.exe 2.exe
2336	Client.exe
2244	Quasar.exe 2.exe
2492	Client.exe
2620	Quasar.exe 2.exe
3024	Client.exe
2932	Quasar.exe 2.exe
296	Client-built.exe 3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
65	camo.githubusercontent.com
72	camo.githubusercontent.com
105	raw.githubusercontent.com
106	raw.githubusercontent.com
71	camo.githubusercontent.com
82	raw.githubusercontent.com
96	camo.githubusercontent.com
83	raw.githubusercontent.com
84	raw.githubusercontent.com
97	camo.githubusercontent.com
98	camo.githubusercontent.com
104	raw.githubusercontent.com
73	camo.githubusercontent.com
81	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiny.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 51 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1652	PING.EXE
2588	PING.EXE
2264	PING.EXE
1624	PING.EXE
2136	PING.EXE
2648	PING.EXE
288	PING.EXE
1964	PING.EXE
2028	PING.EXE
2824	PING.EXE
1588	PING.EXE
2464	PING.EXE
1524	PING.EXE
1940	PING.EXE
2220	PING.EXE
952	PING.EXE
548	PING.EXE
1324	PING.EXE
2900	PING.EXE
2060	PING.EXE
1704	PING.EXE
2452	PING.EXE
3048	PING.EXE
2328	PING.EXE
2936	PING.EXE
2188	PING.EXE
1436	PING.EXE
1684	PING.EXE
2152	PING.EXE
2116	PING.EXE
1096	PING.EXE
1660	PING.EXE
1932	PING.EXE
2884	PING.EXE
2260	PING.EXE
2416	PING.EXE
2860	PING.EXE
2812	PING.EXE
2372	PING.EXE
3048	PING.EXE
2036	PING.EXE
1376	PING.EXE
2244	PING.EXE
2288	PING.EXE
268	PING.EXE
2360	PING.EXE
2820	PING.EXE
2776	PING.EXE
3020	PING.EXE
1528	PING.EXE
740	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3044	ipconfig.exe
1720	ipconfig.exe
2240	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 74003100000000002359a8291100557365727300600008000400efbeee3a851a2359a8292a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000030000000100000002000000ffffffff	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 6200310000000000295af1ac10005155415341527e312e310000480008000400efbe295af1ac295af1ac2a00000032ca01000000040000000000000000000000000000005100750061007300610072002e00760031002e0034002e00310000001a000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "75"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe

Runs ping.exe 1 TTPs 51 IoCs

Remote System Discovery

T1018

pid	Process
2244	PING.EXE
1096	PING.EXE
3048	PING.EXE
2136	PING.EXE
1652	PING.EXE
1932	PING.EXE
2220	PING.EXE
2116	PING.EXE
2648	PING.EXE
2328	PING.EXE
3020	PING.EXE
2936	PING.EXE
2416	PING.EXE
1684	PING.EXE
2884	PING.EXE
2372	PING.EXE
2464	PING.EXE
3048	PING.EXE
1660	PING.EXE
2260	PING.EXE
288	PING.EXE
1376	PING.EXE
1588	PING.EXE
1436	PING.EXE
952	PING.EXE
2588	PING.EXE
2264	PING.EXE
2036	PING.EXE
1528	PING.EXE
2860	PING.EXE
2188	PING.EXE
2028	PING.EXE
2060	PING.EXE
2900	PING.EXE
548	PING.EXE
268	PING.EXE
1524	PING.EXE
2360	PING.EXE
1940	PING.EXE
1964	PING.EXE
2824	PING.EXE
2776	PING.EXE
1624	PING.EXE
740	PING.EXE
1704	PING.EXE
2152	PING.EXE
2452	PING.EXE
1324	PING.EXE
2288	PING.EXE
2812	PING.EXE
2820	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 23 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
1940	schtasks.exe
1780	schtasks.exe
2412	schtasks.exe
1084	schtasks.exe
880	schtasks.exe
1676	schtasks.exe
1956	schtasks.exe
2932	schtasks.exe
1724	schtasks.exe
2796	schtasks.exe
3040	schtasks.exe
1580	schtasks.exe
1332	schtasks.exe
2556	schtasks.exe
1308	schtasks.exe
1968	schtasks.exe
776	schtasks.exe
3056	schtasks.exe
2636	schtasks.exe
472	schtasks.exe
2912	schtasks.exe
940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2148	Tiny.exe
1720	Quasar.exe
1160	Quasar.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe
2148	Tiny.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1720	Quasar.exe
1720	Quasar.exe
1720	Quasar.exe
1724	Client.exe
2984	Client.exe
1160	Quasar.exe
1160	Quasar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1900	1980	chrome.exe	32
PID 1980 wrote to memory of 1900	1980	chrome.exe	32
PID 1980 wrote to memory of 1900	1980	chrome.exe	32
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2796	1980	chrome.exe	34
PID 1980 wrote to memory of 2912	1980	chrome.exe	35
PID 1980 wrote to memory of 2912	1980	chrome.exe	35
PID 1980 wrote to memory of 2912	1980	chrome.exe	35
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36
PID 1980 wrote to memory of 1508	1980	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Tiny v0.2\Tiny.exe
"C:\Users\Admin\AppData\Local\Temp\Tiny v0.2\Tiny.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ff9758,0x7fef6ff9768,0x7fef6ff9778
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:2
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2360 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2384 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1296 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:2
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1456 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3480 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3696 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3488 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3680 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3604 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:1
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1420 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3616 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3452 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1248,i,4701866282647704461,9588908839867002671,131072 /prefetch:8
  2⤵
  PID:2272

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c0
1⤵
PID:1600

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1720
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
  2⤵
  PID:2804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2748

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
1⤵
- Executes dropped EXE
PID:2760
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\eDSQ90sYzUjo.bat" "
  2⤵
  PID:2676
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2764
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2028
- - C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
    "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
    3⤵
    - Executes dropped EXE
    PID:2612
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\znfLb1fZNORB.bat" "
      4⤵
      PID:2636
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2280
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2824
    - - C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        5⤵
        Executes dropped EXE
        
        PID:1548
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\r9fP00PkfjmT.bat" "
        6⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1588
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        7⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LoIS723r0tgf.bat" "
        8⤵
        
        PID:996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2372
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        9⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\96QQpSkARqCZ.bat" "
        10⤵
        
        PID:264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2820
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        11⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\o6QEI4nXQhc4.bat" "
        12⤵
        
        PID:2316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        13⤵
        Executes dropped EXE
        
        PID:672
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IlzoZrjUCKts.bat" "
        14⤵
        
        PID:296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2884
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        15⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\k9j8MfCt2cCW.bat" "
        16⤵
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2116
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        17⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TMm11zU59aET.bat" "
        18⤵
        
        PID:540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2220
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        19⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qiwAyEsAxzYP.bat" "
        20⤵
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2464
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        21⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NTq98EPz0onM.bat" "
        22⤵
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3048
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        23⤵
        Executes dropped EXE
        
        PID:460
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CaNJqRBdhSdW.bat" "
        24⤵
        
        PID:2260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2588
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        25⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\I8PemYhbXlAT.bat" "
        26⤵
        
        PID:1212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1660
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        27⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMlYH2RLm8At.bat" "
        28⤵
        
        PID:2288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        29⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YJ7vLq5OyeXN.bat" "
        30⤵
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        31⤵
        Executes dropped EXE
        
        PID:648
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqRuVUGOsw4w.bat" "
        32⤵
        
        PID:1764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2328
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        33⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zR4xtKloXtk9.bat" "
        34⤵
        
        PID:1696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:1972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3020
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        35⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0YlNHIdeyQtC.bat" "
        36⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        37⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\I2sQalDtLd2p.bat" "
        38⤵
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:1108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:288
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        39⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\25yN7tczYAxS.bat" "
        40⤵
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:2232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1376
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        41⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DnIT1O7lJx5t.bat" "
        42⤵
        
        PID:1968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:1320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1324
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        43⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LPPBbv4hz6pS.bat" "
        44⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1652
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        45⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIfHX94u2tFb.bat" "
        46⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:1048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2812
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        47⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uJzPvkYIbmmq.bat" "
        48⤵
        
        PID:2656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:1096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2860
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        49⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WGWN4yFGQM1I.bat" "
        50⤵
        
        PID:3024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        51⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RrmHJrtg4Pwu.bat" "
        52⤵
        
        PID:184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:1688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2188
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        53⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RFcFQoOcHAr1.bat" "
        54⤵
        
        PID:2464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2060
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        55⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5y06Yi2ayl6X.bat" "
        56⤵
        
        PID:1380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1436
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        57⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TZP70cSPmJJv.bat" "
        58⤵
        
        PID:2328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
        
        "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
        59⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5Ni7ll0bpbF9.bat" "
        60⤵
        
        PID:1224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:2120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:740

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe"
1⤵
- Executes dropped EXE
PID:604

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe 2.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe 2.exe"
1⤵
- Executes dropped EXE
PID:2788
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1780
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1724
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2412
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\CpGsbaUc0YEW.bat" "
    3⤵
    PID:2372
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1744
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1096
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2984
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:776
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKUW3n0jhug5.bat" "
        5⤵
        
        PID:2348
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1584
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:952
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        
        PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-895176920-1612333693852913210418111630-101166920-1728822225-716714194-1714284812"
1⤵
PID:996

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe 2.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe 2.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2140
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1724
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:2880
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2796
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKrC3ewlOFwi.bat" "
    3⤵
    PID:2168
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:764
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1704
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      PID:2684
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1084
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ONtWbQngkO1V.bat" "
        5⤵
        
        PID:1972
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2056
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4GlyKTjk5ybX.bat" "
        7⤵
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:880
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wpe5yEyzustn.bat" "
        9⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\p1KYEzD6QC5A.bat" "
        11⤵
        
        PID:764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bfi4gOtfJPda.bat" "
        13⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gY0E0KDxEExC.bat" "
        15⤵
        
        PID:836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:472
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JhomLf7hiE34.bat" "
        17⤵
        
        PID:1852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PODQlNr07PYo.bat" "
        19⤵
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tZmgBf7z0xrL.bat" "
        21⤵
        
        PID:1840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jvoFrZRqL9bk.bat" "
        23⤵
        
        PID:2312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aV1UETDDFph8.bat" "
        25⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JQX3fCwnj9EN.bat" "
        27⤵
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yA0VLptBtadw.bat" "
        29⤵
        
        PID:1444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:268
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Y4v6wblRfFMY.bat" "
        31⤵
        
        PID:2392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        32⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\laD5RWHEpdCY.bat" "
        33⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:1332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        34⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1308
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jH5VibwOQ3UI.bat" "
        35⤵
        
        PID:1908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:2568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        36⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\apcW6tLMPc2L.bat" "
        37⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        38⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1968
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\A8krFYUGmnnf.bat" "
        39⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:1660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1964

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2129121186305496436-10073611341222327584-1798474492-17007492666894341111953728900"
1⤵
PID:2316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-102863790310747857-1476093356-166889015214159513062052822757282370817-1262839121"
1⤵
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1111905071-2917048751449528604-864279533-894376726-10522527121031341475158276776"
1⤵
PID:1744

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:928
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:3044
- C:\Windows\system32\ipconfig.exe
  Ipconfig
  2⤵
  - Gathers network information
  PID:1720
- C:\Windows\system32\ipconfig.exe
  IPconfig
  2⤵
  - Gathers network information
  PID:2240

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:996

C:\Users\Admin\Downloads\Client-built.exe 3.exe
"C:\Users\Admin\Downloads\Client-built.exe 3.exe"
1⤵
- Executes dropped EXE
PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bb591ff040c7b73320c431529711fc0

SHA1
e96fb2fd01f41aee814f13328c89b460b1bbbe0c

SHA256
34d3110595fb99d015cf27e036cdcfe674111b275e504d5fc9f307c046df6f69

SHA512
0cd2b702b1639f4883728b0161662af5ac0596d38287f43a4f2a36bdfe0c86cbeddc955cd011aa4a945bd762bc5e1ff282d16554667260fa1e25447e26e3c5e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5290cde9bfa3d4e856d234e57d889eee

SHA1
bf42aff2a140ef7545efdd6083b322728e734280

SHA256
75b958161b8295c1da71a774a553a9bd57d247b7020feffd683e9eb7591137be

SHA512
a22eaf9d131e28bd900c61c4e17593c3d1763cf970581ab0cdfbf3780b1b189a7f713743cb4f3bddfdbf5763bfa864403d5d8b05e5aa7cc600a650e144ab9c15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0a6c7064-e767-462f-ad5f-01079c81ce1c.tmp

Filesize
6KB

MD5
2aa9264af17303be53b93d6f2ba99f78

SHA1
8075f91c6404fa65551e3b4f9d9a930aea51f69b

SHA256
68550ba4a962b26538af6e2e6f283a15a0418525b7ae0648f37187c65b730373

SHA512
006225e5f44b7624a4c2abf1cf2aff91613f5922bda896b304acf4041611ef69fa4a8275949cd580818573e131c7fe29bd20b623c1b91237937ef66b0f901596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1e8b7a2a-c3da-4a1f-8272-3a9a02f37bf9.tmp

Filesize
6KB

MD5
00b05690c1ecc064115e17b80df7dfb1

SHA1
8b3470c545a654b4c7686f4435bcd5f37803b4d6

SHA256
d0ba72acb59fb1fdf9caf0d0aeea9ef294346065d7766dfd9deac9bb1e4eed77

SHA512
d49a79d498389aba5544cabe2800779ec014978cd66428e527b966b176552222bea8ddb4c1c6a4ece4c1df2fef77abf226d33b5cedd3fc98f06740058a1b03e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
e76bffdafacfa65c68300327baebafa0

SHA1
a47c0a770f902ea3f602a9bfaa0d07a65054070f

SHA256
f839c4319929e95ab028788d2a73d17d2385df5e3cb5916481eaf15ca07a41eb

SHA512
de25154851d575ef70b4b388157b164f58fa96052af861f1f04ddff8e4abd924c3ac76d87518cd1cf6aded659c82a13f31a5a0aeb446b29d2392c4ece19eabf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
e676846de1373a8c37d705e374a554e5

SHA1
8971152e0c97830b6137361f531479e074a41f38

SHA256
069f5d9c06e494fae87f0b008cddb6d5322fa37821d7daa713fce0ae66495fc3

SHA512
8b3de1872dc74788add32beeff4c14d4fdd89b082fa613bf7800fc0cc08562172882278f4f6e55320ec6efe9f4fc146e71b27fb8322c4e58f46bef7406d75d0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
075cb899b9140a27ee68dd60b6b55ce4

SHA1
4ba694031dc592ade0c2502055435feae45e4c6e

SHA256
9ccb39e9945fab503a62f39a4d9ce280bff58f57a84818952fc0e731aec5b5cd

SHA512
8db8e68a678ee79c351ef2dfe5be896dec2f457c092d727dee9cb5b67fdf357c2d27c7023b54fba43fe66daddae2db216f1ee9c07b2c618e8d5c69c68bf6afbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2adb2ceeeba2f841b2c769117ccf1eb8

SHA1
fed223c096c87fa9b325ddb9a1a9670609a30cae

SHA256
3be2a8ad0db9afb0d3d673191ce3e23202ccdba5f5fcfc33779f19b7aea34a8d

SHA512
669488e435d28aebd6c134e4cfe8592b1f07e69f76ee096bbf5dbaeba3f015e615c441cfd741cea3591d10cc698f42064b34132c2e6fbb3daff3b8c573dfca00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
525B

MD5
7dc01c481e3c254cd7ee01765785392d

SHA1
c56ca68cf8d887d24efd7ce2e13c52101d93a30a

SHA256
24c3b8818ed52ac12006329c86864edd03e9598f812428356a8cc442712e5c30

SHA512
53f072789e4507669cdfd7fce741738ccf883c0ade8854cb6f169ee1283196701c7da628c5744c7bcfcbc1154bf562fa99edd4835df81bea10607679af427815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
5cc62b41a1b50313b762422dde718816

SHA1
d9b0856a4925755fce7626310159c0d79c0eb65a

SHA256
5bfecd136d602b6d18033bb474ba373f91841fa687fe1f9ea65a9669665af772

SHA512
eb211f6017900dc02c6fca9f88cfabf731232ff037e54bd73711e087bedd97ec712cd26ee60f634afe52bcacfa3e61214966b2c9a32b60c0a82180fc15f17117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
d4cfd4f806615afe11ab1eb30a7ab13b

SHA1
d80ca8ea880f442f411d6b62aa0387fceadabd79

SHA256
d4fdceda12e86efcaae7ff32e0377ab84203916679a080419f098103d623ec28

SHA512
42feecb1c693707bfde6483815a587a17038a85effa3b525e54bbba9ae998f5533ab5782e89ac9502d4abf6421d33659567e8c5e639eb7e3032e4657cdee72c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
02309335bbdfe26c3a173e7c98eaf7d5

SHA1
9918dbc850b8c23e84d306ccd65fb3763de5f7d8

SHA256
3187a825fc947085f5f8ee7aeea0bd443ddefcad94f98c2146e9b6b274077548

SHA512
334101cd506f37c6de3193c140e82b03d98d80b61435d289d172a53476ca59d5dbadba9895019ee257895d76e4de806365de4178561e16ce40d9ac637c7324aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3ff303d3d0d935d16eeb8edb0fe01007

SHA1
ec71b3ba31effe5de6c46fa2487d58af6a6b223c

SHA256
b51e714be3c50ac9d200d4727be213c2b03ba2a56cb2d00652101e8ab1c8b705

SHA512
c5904cbe9e073d759740a80381f6cbb99942243bdb2331a3a68243955028a3c1c9f8408878a54f7de75266e642ac333bbed5d3dcccccb3c85bb1b83e93fade31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
30ad7d70675bcfd374b5657832a986da

SHA1
7c4eb267f680af10b3898e6619f9c9ba977dc649

SHA256
9a0b6e82f72cfc53f1d8a17e3ebc5e0c066cfb65c5b9804101dc002c2b9305b7

SHA512
6e3cd51a64494b8bfa87de2021dfa1c179cd9acf346a3e5f0d69a4d01324a0ab6b271849d6a914bb051a2278b90bb7e07305f22fa6ab97821dec1b7ce73163b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
230af3b8c3aaf7f9a2fb6b00348d8da6

SHA1
6ec0bdec9e57c200c9526f191cb6e00c5821a8de

SHA256
0f8cb1f0fe11f25b4c209058b1cb721a4585b5139bf45546d0e52c85b2dec101

SHA512
51e5955af5c50dbc0aa19c0cb7791c60106ffc2ed15d71b332a395caa04832ab2c3780cda2ce26a24f63ecc205c0248fbe59c8553a64c935dd53fa72da723320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
5b9a55db532043fb7699c8a627968323

SHA1
1fa722819c21a75f884f5eb106e620764ffe7f04

SHA256
e461e47b7d46747ab149ad90b7bb86b2dd527d6ae13081232619a9088f5f0b74

SHA512
0d213167edba9c0f0092e9d8fa54b955ac3a15cedfea7438d715858a5fc7afca932ce43da09004f3ba2cdf58582f0b079f6df9f3de9d033c8cbb963bffb09030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
74KB

MD5
f1ef76f7090a4cbf1c5f57ec5a855e3a

SHA1
d6aa3dcfb5a443cef06afca43db14295e5b8859d

SHA256
843a2afa0767d0f41fc599c9ef51839f220dab277788c08bf42e2be16512282a

SHA512
c2270fde3683aafdcb1cd5db0ac165d4a2e1c854fcfcc2361a6948e5e0667c04d40052b1d4a09ce78a902b9f02e74c6f7b089f683049520c3091541fce8140c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c24a4f01-7abe-47ad-9b25-1e21a029fe3f.tmp

Filesize
344KB

MD5
fbc9e551a106a7f0a65bb2b418012789

SHA1
abcb28c3684adfcbd6d2ee7659d12ef48505b5f7

SHA256
ddb2102ecffce9994dfa33a9ecdd4bde440a9534caa5210252889fd75703057b

SHA512
0b28a32eddf3857bf7d71de6564874d27185df408d8e8a715d70cdff10c09a7218e9a2c3e26c6541225be8f6f4b71b187b601ccd429a4d120a61c01e723bb203

Download Submit
C:\Users\Admin\AppData\Local\Temp\0YlNHIdeyQtC.bat

Filesize
228B

MD5
eae20d992bbeff5d3842343e4f4c21c9

SHA1
f6d431a2e78ef2c9f6003654c2c2ce63f21a5c55

SHA256
f31062175a03503aeba06f64224c7e69178248c72967e6d5b35f312afd0fe609

SHA512
72910359ee8fb42cc27baaef5a01801ba54146ecaffec7b42ac8531533e6eae583c617edc4d6af9807ede7464476c3b5d847f11db66ff8ea0e78c2ae6a362b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\25yN7tczYAxS.bat

Filesize
228B

MD5
d1b6484aa49e447bd40a5e450b6606df

SHA1
01531d50cd6698604bf4c8eeafe663b659000ac6

SHA256
c04c19698f5fd3ce626139d5cda0584680a6f792a4dbc9ee0dba9c7e28d2bb00

SHA512
37ecf0526731680a0a054158ba2abb15610e1db3ad0dd8777235b34c22133f54b3547ee7fd284a3120e789fd9ef0afd6626393566fde576ac5cfefa92c546b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\4GlyKTjk5ybX.bat

Filesize
207B

MD5
cae15f63c63051cee071f3e957a85dc5

SHA1
888c1c2d74e3e4e5e6fb2f2216d738282ccddb3b

SHA256
ead3234a10ebbd7533dda1cff222035644f6a378d7beff90973fad963a68f7d3

SHA512
bf46d084fc20a0aac572c7126dc1a8cb97ac5415499db39444bdf638d3efdb0d9bab59b7e5aca2a0e23d261e0a3af299daf44dc9d20bce2bbb89913266ecd517

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Ni7ll0bpbF9.bat

Filesize
228B

MD5
fefd06883b16157f49a5c57cd291e749

SHA1
c1bc506fbee347a4976e108be5705db49627c90a

SHA256
3da38fd90ba7a39bd76d000ee6c12c5af2737a09124c58d0dca1abd54f7582e4

SHA512
4bef0230f22dae0324e7a5ff970d5c3cda78429cc117ba060a83b8aa72505566a7fff9dd891a496f25e25e9ba56821f9a786e48bbd86f84dcd8e3557ed600156

Download Submit
C:\Users\Admin\AppData\Local\Temp\5y06Yi2ayl6X.bat

Filesize
228B

MD5
2be494f4a56a7acc20988fc206cbc95b

SHA1
1f2a7c7798ea3853aa06c9bc3779671a709f5558

SHA256
81462580b6d949306eb1e8dfe6d6c13d867b49d03b1e6441bd17382d9dcad5b5

SHA512
af453b74270ca9697e00cc5e908151a25ee9eb3677e6765afbc662cde11ba8e81829c9050fe25fc9ed512dd4eaf78040294041f615fd6cd119227f80d959282f

Download Submit
C:\Users\Admin\AppData\Local\Temp\96QQpSkARqCZ.bat

Filesize
228B

MD5
36bc31311ce80efc29f2be55922efee4

SHA1
7aba4e55ea425f85d8deaab71de78f74a312a525

SHA256
e2723283d08b03ef8c6d3c8f35cedf0c7e99b52cab0ce4103450b3d3366f1e4b

SHA512
b5a58fa6719defc2bffa5bb8b1689027c633237787c62bfc285f28b31527c531d093f27a0bb41cc57043ae3c0264e66164fa533c473e489d992477520d6e9afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8krFYUGmnnf.bat

Filesize
207B

MD5
24340b03c22d99f85e616fa5b61fa326

SHA1
8ec499daa0574e5997bbe5803adf83f6346d6894

SHA256
39eb1f340e8919466899adbab60dd73854ff8ec1dce5214fe4f7889197557986

SHA512
a235134b555fb934b21dffd322c570302e7a88b868d55840941a9e3363258dabf80d4f491c86bada9573a9b39b2e4fdce8a72960fb2daad3858cd8e3879c51d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bfi4gOtfJPda.bat

Filesize
207B

MD5
0894b31cf8fe89220b8196a7c94aa6dc

SHA1
a822c83914301804bbeb5ed536d1f534b509c690

SHA256
2bad640858e4f6d70d031d5da80b4b929f309861c543833c843de9d569987205

SHA512
a34fbdeff6de427cfd562b2ec3643091f0873999051909c6addbe24430051c47a4d0eeff0855b27d0f1a1c9b660b0d334fb77950d793729a21610755d301984e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaNJqRBdhSdW.bat

Filesize
228B

MD5
1edf50d91fc92f26cf909e623baebcb2

SHA1
ae370a75c697e66b4bd60c373ac1915eddf639a6

SHA256
1f452b2afb2908998c7879033dc54e38b7223e8f56f45434f36f57063c05f9f9

SHA512
c2404f91593f2cc447fa9a88caa3105419b55d9c353541fecf3c3778675068595888713f06436ac893948f82f5bcf02c237c345580728df55cbe8317b5cd0fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB05E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CpGsbaUc0YEW.bat

Filesize
207B

MD5
1abdec8a07095fe08d4262ddcce02fb1

SHA1
c0bad2ed04a1db16760917bb1be746cfbe0654e9

SHA256
0516db8535c0e8ccf7dad24e4f9c966936ba4999cfabd94ffd24cbfc85c099c5

SHA512
fa61e0e8d1d9669ab26b6ad71fdcff257f286aa623e4e778bcc8035a66be410608fcde3e5e560b4ca47a0e4490bb764857d14456c7a067beb14e6bf404ee1c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnIT1O7lJx5t.bat

Filesize
228B

MD5
9809fc572491233c72f972e8b60a6083

SHA1
c6742e8167a1b0f8b756b0ca232f8c6d69055f49

SHA256
38f7d444a5e4e949025676ecd305520a7f2f8a7abebabdc535c30ff3d76d6ce9

SHA512
d4f11a8b1f5bfa9783e393c43e2c1ab1642ca03d9f36a1c78bea68a010ade94f8e4e7e2ebea8408612cee807d567bff5e1ec62d93fee1d4033ea091df35fd655

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMlYH2RLm8At.bat

Filesize
228B

MD5
1e0cdf0dde4bd8dc3fb61c31b8b7701a

SHA1
dcc15d5b9a2abbb5d5c6ac180c2f2f5939146c48

SHA256
a50df4c1d83d3a81c78816bf634e422c4bbb678b1bef7f5743c4cfbe4c866638

SHA512
32ffd08fc27a2fbf9198fe1547a3f3ef109ff695d2614031a76b71c2678eeded9b31e31a823eb8fbabb0e0b0c40bf734d4475c809004e7eae300158ca0147943

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKUW3n0jhug5.bat

Filesize
207B

MD5
ff601d89bb3e2e248a1359d7be34798f

SHA1
040c56f7c8b6d3943d74daf466ec95709173e32e

SHA256
6a2b471e6634540b2905387a2bd731bfa7da393ff44c594f96560a1fde84e57e

SHA512
3d15e203030da967d3869f9d6b1e47663c044204a869a54fa2504c63ceed3b265c451bee0ef136fd7b4be30ace49f92b4c885fe817b6f7afe81822af65b4fa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\I2sQalDtLd2p.bat

Filesize
228B

MD5
56126c06e3958390eba46f3e638c77d0

SHA1
aacf7e136c5fc9c5f2e0a8d21074a097901b1bd1

SHA256
71d27f64156d6af22a51f0e5efc9f95bb4f7c1de4f7113f2474381e62faa7f74

SHA512
c31585e85057b62b4c6f7d9676ab5df930ca41a9f473a7ef9fb9ff0577832eec85f6c3962ecd291b45fb9fc853d72cbd7ca45d345249c684a14568ac2cefb665

Download Submit
C:\Users\Admin\AppData\Local\Temp\I8PemYhbXlAT.bat

Filesize
228B

MD5
5df2651ea51e1202e989e474ffe07ddc

SHA1
f0c8ced8d7abb19c13ab0f8dc410ab98b69d8936

SHA256
6617b26a2787a6e6900b18cb982c41aae03cafbfd5a68aabcf9242c9ba08ddf6

SHA512
f7f84dde56aae451ee6f93cb312d90d9101049e001473f276bc64c6c25da80503174670eb87ad54d837b2b0ddeeb76d099dbae8c73272b36199424abb5c35884

Download Submit
C:\Users\Admin\AppData\Local\Temp\IlzoZrjUCKts.bat

Filesize
228B

MD5
d1fdfb9e46dba5844758f1461f9bb5e6

SHA1
e2487c587715721c91316cf516142ee43515c4c7

SHA256
523a14a7bc7a631cd0b4a994ed656a47d8b1d7173622f74ee2e76a62ed293652

SHA512
60e8a6d8b3c12aab6175a4dcbfb374fce16ced0b56828e3b4fc8ff9e417cae204490255ea3d08ccdbf4f591a4e3d23720e26f02de94748b550b7e57055875baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQX3fCwnj9EN.bat

Filesize
207B

MD5
b6fe52da1976d2896a7ff4381edce9fc

SHA1
2d12a1fb8d1a22d4f4bdb1b72f44837197dcd6f1

SHA256
9d4acf12eedc187839dc922c73db5097f9e67eaf5652b34d313b65b1975bb918

SHA512
77faf71ea349b086a61137c4931c36b68c6f49733ce8a6d7714cb882e3f5f5cda2be2ca62a795f90f1b2dc5f15fdc8a2315bad072dce0ed7aecfca6866ea77d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhomLf7hiE34.bat

Filesize
207B

MD5
ccf2dac3caafe139c8b6e67bbca60100

SHA1
64f6119b413d4f20b3c0421da10341f31e37f5ea

SHA256
1625d40caa7959139f456690e7e7c3ec923442cdd2e57cdd319a402f6400a1da

SHA512
51ae027b5e2fa782eecdd6a035cec96afffda2a4388a4e92d9c9e2e316697eb97f3a08da07d0b42757a0fffa841ecd0503ec25b164a89facd350f361fe3ad9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LPPBbv4hz6pS.bat

Filesize
228B

MD5
3eece216d5eec770eb4de5c2ac57630d

SHA1
058dc06710a2b6142f4b9704f2941575919c7d84

SHA256
c2ecb3adfdff2d69821c67c02e4b3fca07a7772e564fa8f3cbb70c639bb4fa03

SHA512
7fb6b1447b59194f0708020d8c51f3997cafc2b5568a4e40a69f1ab5b75f536e683667e1605b54ac978c9a6be694a1d577b282169cd6cf3badd874d1eeaaf752

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoIS723r0tgf.bat

Filesize
228B

MD5
00634441c375dc259f5d838a286cf2b2

SHA1
77d564757c82d7988126ede69f89aee49c6a8455

SHA256
27832243b71487138756827a20986f5c752ce36648916c2c2a9fe99430449c75

SHA512
5c09f1d059ea7b72625c3252f29498d8806ee46ff23643fe861ae08bdc971c2d5df4d8d604bfe3eced825d0d4b3fffa0d5404ee36008d41fd37910ac30274dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTq98EPz0onM.bat

Filesize
228B

MD5
11feafafdb5a6e3efb9e54ae55674fb3

SHA1
fd76a4fb9dd12ff76f193ea8f60ba5992795abb6

SHA256
06abeb56de27d8c82794f0ef16fb161963dd81d1e3620437629b332da3d00151

SHA512
7540cf3561630fadab252a622a20994320c9e51c09dda45440b2a05efff018c6af7daa02b0ffda243e024505ec43f9666f17559d955cc8d3751078c06824c6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONtWbQngkO1V.bat

Filesize
207B

MD5
3b667b3fec2dd9a9fa7a40ef0e0d014d

SHA1
f20a4934a619ff4b12315bd5d0136e51db431746

SHA256
a3c8040e646d9cc494f5c36137740f4174380e35d46ebc6ad15bbb93b179c799

SHA512
91ba6bd3e314cf1888bc76e6584bb50f20382069844108c57c7700dc00560600505abfc06d36555bbdda713c6b8b68ae5c8ce1385b24f357de6fc1065b1772ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\PODQlNr07PYo.bat

Filesize
207B

MD5
43f3a0505b5d0e7905ce93ff464b3873

SHA1
a07f214eefb0ae7a78e7055aeb2701c464ddac10

SHA256
105b99063a8df1229bc347162e85ee28bcbdb50032410b808d16a7f19a29246e

SHA512
43cc279a118ee00aad30189bd8cee5906eb2ba06039ad03697171b0732385bc5afa1e6fe3326a18cad42a10d387c46bf49ce42f4476e1d08e06ac8c1592e57a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFcFQoOcHAr1.bat

Filesize
228B

MD5
1e27fffc78d8a13d1599ea58a4a2a567

SHA1
363214342bdb38131f1589ff748dab178f0f90f8

SHA256
8398bc32ad8839a5dad6aa429781c179acdf4db6e58fcfc7b65f2e527235218b

SHA512
8eb67ceebd3097f6f08aaac92546b04b47b2f89a4447036795c616bfb5111e6b34bd499b80a3a6073eefef6106acd87d0358fecd49617db3759c963c282e24f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqRuVUGOsw4w.bat

Filesize
228B

MD5
c4ceaa12b04a9713610807d1c7cb9d69

SHA1
026853ee92b149dcea87373c22f222cd58a67c98

SHA256
1d60bbdafd9209f263d23014b1dda147519fee5b463f17f9e2578cdc80c6b949

SHA512
034a2d2e2905edde7bca4e881e1ad738c6c54c69a9a390700253e3f172a84d4dc108bc785e200b95f8a3a0f9c05c4c436562740ac3d538a6873d3452b75d4be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RrmHJrtg4Pwu.bat

Filesize
228B

MD5
b445670ff2549191f30b9b500d9f6dc8

SHA1
206ca03d67c7e63906e41238d79a914daf341dc7

SHA256
a3026cd48aeee439266ff5bac1b4052c56bc5e86f5933d014436d49bd9006bd3

SHA512
0d8540d8fb7d052a71b3e2a7a6af8940140b34d070d0a395192e0f7943476838f20f0d33f9a9429def824f74299113a4de602f6dcb9a62d3329e210a3e9633f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKrC3ewlOFwi.bat

Filesize
207B

MD5
6fabd5ff0e948269fcd20bf39bc8783d

SHA1
28896b82c9585af8e402ede3221f673e268b52ae

SHA256
76a9534d20c9b29dee9bf0e38914ae2b60cda0ab59517f0b9396677bd0f24ce8

SHA512
2afdf733eceba57cd43320fd9e28e137653ad7da1088f43ed088d9bef0a7a6cdd97c86d320e7e603157671fb6d85a23a66e69f7cf0c6e339744584e961602b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMm11zU59aET.bat

Filesize
228B

MD5
0f24fe26e5dbcca6e85496ae4fe9f46b

SHA1
d2b95a6c2667d2c8c5fbc87923dd22a9d4a53c11

SHA256
359f9a77828bbe914abaa6858ffa70b4c1dbbd59ba97769d782d5b2ecf1cb146

SHA512
627339255ec2704b6d71c68d74b69e74e4c2b293a6f05e85b196ad7b8c8f1321b9a4fed29b643a384451101a5d30f394e28d3fc20fc200bfa9952166a488af1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZP70cSPmJJv.bat

Filesize
228B

MD5
debdc67a125421b74f736fa35656f6aa

SHA1
d0901ef233158303cdbda85897aa4e180d7dee3e

SHA256
cf7327b6dbc3bc52f29f9c6c11695b54c84e5164617c32ee26761de7041df444

SHA512
a8266a9748049f942f975ae417f9ae78ebcf11ac72a475b70eaa018fc15d620cd7479c79c224df2124aa7cba9d01006cbda4637b14677df1f5a133ac7fc30a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB070.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGWN4yFGQM1I.bat

Filesize
228B

MD5
f1cbad19e37fab52e6dee4009b53704c

SHA1
95e97efa618cbde92e0f4aa51db3fcfd7514f8e6

SHA256
8ee778901ab391c209e928477a75b67d2530fc553ab68cec06b265d86f831417

SHA512
1b6f4e5cd9613a355872d9f96c2f8a371fdacc6d3d1c8f8b2f1327601fe0fab0ed6a6b5f32961572a164e849add3f687c56f96db723477320c1aac9981cbbbed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y4v6wblRfFMY.bat

Filesize
207B

MD5
355abe1257b843d090b68042657d142e

SHA1
e9e4d35bcbe89e60f6bb91ec4dd3566a2873276c

SHA256
2f8fe5c6a1cc61124399aaaf2dd0b7a60f08c655cb981d4f3d87f4e5f694a216

SHA512
ce69074a56481c666124d0577ae5aea5d5303f37bfee3c1066d6935cbd9f0ec4ea2d0de372e26a83ecd20b0e2354b60a7b934bd6a27bd9e54336b5b6947cede9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YJ7vLq5OyeXN.bat

Filesize
228B

MD5
2f6b3f17386443822b49d17f29b4c3f4

SHA1
1ac5df8ccdfc87850a52c0eb365308f6589ddd16

SHA256
f1affd7c605a56e5a31bcedee1b79d339d61f601b617dc4e72592e9a720172fa

SHA512
9305c03df043feb7f7726b882e574757694778f52cdf9926780903ce39923b5e12e7d308b6af7637a576eb3856abd2d187fd8c434e38f3ca1789582d064e715f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aV1UETDDFph8.bat

Filesize
207B

MD5
59077c029598f1bb93e590a0817defd8

SHA1
23cb6a71e68af8188654e7ef1647c9d5c9d1c2d3

SHA256
bf59d3e71ffa9ae36f15c8f1a27fdc95972a615a713aa25bb2f4f83195d43a35

SHA512
7a4320076e934377c786e00afcd7c8872552fc0af897e3efed73ec2eef0a1329d07b618d9cc4b9c8569158f17894e230f5f7d33d2ddd951e1c80ec9d9ae2a638

Download Submit
C:\Users\Admin\AppData\Local\Temp\apcW6tLMPc2L.bat

Filesize
207B

MD5
9011adfe8e6911d7413d03ec8b3425a6

SHA1
6447d3cce3725cc58ef2a3626f9e2d3398325481

SHA256
f1b6af64a77b682eff26ce6f8915ec18d3241803f2dd86c8ac694a54e8083283

SHA512
ea140883322165ee0ae8783a86bba228c3711bbcb78a3619a6b4c373de05711f16509f33b80fa840046bae8ed0071494b86abbeae3dd1387d9eb3bdd7ffe741e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eDSQ90sYzUjo.bat

Filesize
228B

MD5
63f350a263bfca3f4555be8b3561eea0

SHA1
14fdd06e5d98fe6d892da91e2506c6fac375849b

SHA256
f4aaf8a74e7542479fbf6883a73f2f0bcb9455f22e3583a99a0d71dfeb86d68c

SHA512
566a927decbe5efbf96fad9da21110720d8ed0ea2686c9e9311aaffbb04c47096efa2258888a9c6847ee9d95e6fef64cbffdd493cb04b9b45d8a1dc1e2658a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gY0E0KDxEExC.bat

Filesize
207B

MD5
1d81bc616e015edffbb939ec17d1a102

SHA1
3bd5b2672516a1d9dfb792f707dffc2e17de43a4

SHA256
b0f2a56905e5f2d438bc508ff5bcdcb611c1eac3682e4b646f77c374ffa2de84

SHA512
cd8e517275221723f9d3110b7571c0282040bc76565131e7ebfcd21903545e1cc02a440ff54ed955db20d78c6d2a6913990fee8bc25bf80fa347e337c8740915

Download Submit
C:\Users\Admin\AppData\Local\Temp\jH5VibwOQ3UI.bat

Filesize
207B

MD5
f151e0c4cbf0b986536ad34dc386a2da

SHA1
0f1f6eba8d11e9a5914457a152a9987f45d6da28

SHA256
f9771521b29b6754c96adce2bff8a8ff2e617a8336121b0b9603d45fb5cb83ea

SHA512
d9ea8fbf5f69b2d69bedb4032c4088092d9933d00fb0a0dbb74d59bdacd7afa6a23f3f956035bac62deb96fc7acb6110b11899dfe90cb01c3682f7ae6fe4d9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIfHX94u2tFb.bat

Filesize
228B

MD5
ae858f9432372bf92bce39db26ca5a83

SHA1
864ec82457e4f92d9523b2bea46f8688f12fd8db

SHA256
f2099f6da6b7f3c95e6fdc5c436c8b8be11d95b29aaf9151c6c16b375c1938a2

SHA512
14ea9a93d3c9fc55a3b7df26d234e400539310e8529f410a294dc1a723f2dd213e4f6e763d95045c4b92f26ddfa69128bceba8deb9e9f2422150c53826038244

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvoFrZRqL9bk.bat

Filesize
207B

MD5
e322a6a2161c86924e7d2e7aaf1b5d57

SHA1
511a5f7b17fafdc948d2404cb1fce57bf88deabc

SHA256
c9879b5607b9f41afa39c64a1f7d06656af5ae14483a41964882225a63b2dc65

SHA512
9265c6a00870a63a36f5402b90053765701bba579df164f5ce8c1fb2322eb092be76b4dc8d2950592bda92fe6c04bf8900beb169a6d5c22a0f1e5106994a3992

Download Submit
C:\Users\Admin\AppData\Local\Temp\k9j8MfCt2cCW.bat

Filesize
228B

MD5
05ca31ecb6dcd260a2687cb54104f1ec

SHA1
0a71bde7c0eaf1d25df871eb33492207631692a1

SHA256
9881eb9c07934513be72399ff75709a05023cac76618f95bddd656b75fd386be

SHA512
db0bf6ece79be075650fa155aa974e7a100dfd80a6dd2ce2549daa57f41eea0335aec3bc8494cfeec8801120d43223741535c77d8b18b268413f8358182be876

Download Submit
C:\Users\Admin\AppData\Local\Temp\laD5RWHEpdCY.bat

Filesize
207B

MD5
1ab9e246c3bdee483cae0dac3025cb60

SHA1
7ff4dc510e012f1f709e084ce837f7cfa7bff9f9

SHA256
3a23d763087b38fa806ee6067bd7007c81134cebd6282ab11e918d5de737c20b

SHA512
2757e7d4d44f2614f195a919e3256337124f48c14480de62acc9a91bfe14ec32a306eb23bb3d3fe498b99175a2b72ca592a81a39a24ae58b3fe9f07d0ee1d152

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6QEI4nXQhc4.bat

Filesize
228B

MD5
0fc43545fd32c5a30df7c60e3d983566

SHA1
f8e9b6a40208aeb2385a1a9e4b8f20f97b7a42a2

SHA256
4ddd2ef8df770df729868cda033e5106ed94460717a8fea63d5a186ad643a136

SHA512
078d926a8ae096a8ff3b1377ca319718145451f774ae87f4fe1f6210685c49c717d7b4a6affa586874ee1069507765881193d4a3210d7ecc57acb3643a861a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\p1KYEzD6QC5A.bat

Filesize
207B

MD5
b4a970ea03b9d0226f219987e00878ff

SHA1
52d39b8fb8a7aa1cd758dac178d51dbbd502a732

SHA256
2e5db9f97768ea7804ec959facb678955810718f5279ce41ea0fef7423193d4d

SHA512
694f79a37a7a76f4f7ff1aaee36d1a1e85a9dba78ddb89a8bf96ae9fd097b6ad83c3b9ff8501a52d693bcf1917943c9570919be545eec9d8c2b8a011ba303dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiwAyEsAxzYP.bat

Filesize
228B

MD5
bf1ebfac176ae1cb7807777e2e8af5d4

SHA1
af37a274b7e212f9167b809308eea1dbb69f59fc

SHA256
c87dd620f97979e8373a505e1145cde6e054a4f0d1bce738c10faeac3238722b

SHA512
85ee14df5a656f7003627851bcc787bda487296caa0e0c8c22340da35d45fe33bb86f738d02327884823347abc8cd23642ed7553c0277757e911437f0a51bac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\r9fP00PkfjmT.bat

Filesize
228B

MD5
0320feb295876587375f214ef67d8e4c

SHA1
6630ab6250faf3a74e15037c835c1c7f83763304

SHA256
a3a97ff3b9f8b1b9c007bca76113b10408b9404aa5a2a181793fc03f556da8b3

SHA512
2757a996640f3eced947a2d4c34931950ae03ef61e47742fd3ad58d8b293d3c581632d51808dbd1abce98bbbbff3e5210f03868c7a733bb2ca280d56e6ddb3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tZmgBf7z0xrL.bat

Filesize
207B

MD5
bc259441395e9b1a30f8ab40c3e3a322

SHA1
b8253f6ac21106eba13c812addc19c7eba3be1d1

SHA256
04c6587b08b84656b772d0eafd69ca1e1915be1c0c9cfc5ddd2334b37b50c784

SHA512
234b620665fc949b5783acbe51759c7657321640e7bf27336e32f59b5b42fe2612bf8ae110466d58916d70addfc10033720846a6eb2e0d27f0a6fcd23af9cd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\uJzPvkYIbmmq.bat

Filesize
228B

MD5
c5acee2d38bd642303397e2350181c24

SHA1
680337865b6c620a0625fdc727e48fdfc57cdc89

SHA256
d647f245701c0d16bc6aa68b9b67b676f6c6f8109db7f613bb13aa7c7b7f1c08

SHA512
992749cd2ce08671c479c52174cda0cff53029c278d17e6f6ff3bd9256095fd2443459406abbf6214436299fd982267f4dd846231358154b51c1602a944098d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpe5yEyzustn.bat

Filesize
207B

MD5
2370bf7b2f5e0215f2215c966213aef8

SHA1
764d53add54ac9d2f48cacdc9210898dc66c44d9

SHA256
5e064153e077636033f79c088041cd0790a73ecb4c6a7ec29393248bc9b14b55

SHA512
a9e59d60a934fe11bafcba20f93c63c4f3b2ab9bfb563a4934e29304b3aa8551f2f6c373962fbfed2e3112bf3b3bb4392ef02ab6d9f544a30a844824258c9e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\yA0VLptBtadw.bat

Filesize
207B

MD5
68164e776e7c404cab01359b2ef985a8

SHA1
e8b8cd2f25cbb8e4859f8d3a2833b9c1375a9772

SHA256
59dc63b26439e50ec0f3f04db25197985fee0a511c226c55c9ebb91ae2ae3c26

SHA512
975a0becf81f05942ef06f00f96902cec77f067701e05d9ce8f1cfc85fa7f97fd871e8fa805f91d493ba6a80ddd393db18874b3e49ecdefe779ba3f6e3e0d943

Download Submit
C:\Users\Admin\AppData\Local\Temp\zR4xtKloXtk9.bat

Filesize
228B

MD5
60e9397b30a4870a411400920444692d

SHA1
fc1d2514c8867c8d9279c2a86ea38adfe514359d

SHA256
f8fe5ef5c1da2037b35d3e8032026de96f0b102b1acba4d3af4ddf125091c29f

SHA512
75be296bd31ca93d43143f5bcb84d3d448eac4813958026c37de275a17636d4f89168b0a10a842742d3495ea0e141edab5afe627dfe53f0ae4fb11d15a0deb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\znfLb1fZNORB.bat

Filesize
228B

MD5
9f83dfb1b7fee9d9391943dbf3c71922

SHA1
98b9aa27abd159a6da5ac05a300a61c85d0280b9

SHA256
e9ededa41d3e8255aefe707a64931e77fb7e27160045e62e8cad25887a57940a

SHA512
724d4cd50270bd187e7d8ec3dd0e37c209e731304a2a19965c7b4d79f1d9cd68dcc54813787e565742fb11136f130f1c49e83ba0f6a03c6ad76c4bfaa5adace8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\2c86bb0c19714a3a6b5472b6bb3e6f0f_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
3KB

MD5
46219c1fcf707aea671af71ca1192130

SHA1
81b5beffde2d3b1cc026e52d195e44f369960cc9

SHA256
1905919490282158abbfe54762d5e1bc7ab64edb03b4f75ecb541615151642dc

SHA512
ec33d8f8ba87272cb432739824f3abc360d2be969d02d4cf6c4c46f7edfc7198a7d57c077f645c40592d34e966a5e553c159e7d5e4dc891159e001592d7e1ced

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\5af1e3da84b95f78d6cb5a092b68adf6_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
3KB

MD5
34eeab815299a474a6d580fbe423f713

SHA1
7ddc735453f40e05fb14c5a07393b4be70c5368d

SHA256
b472d656daaf4352b2f4af4f891854e3f37284dd59a6cf1851943db529e64981

SHA512
eea0e7462776215279a5fc82c08374c617bff58600406d2d9717c7db9f18028c4829047c3d2ad063469dbb579bf4cd560ab36fb9d17d24a5f95340b6489112cb

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

Filesize
3.1MB

MD5
ba2111649019ab7f518241e0c062336b

SHA1
74093c60975f5c452893664bfdff5520ad9a7781

SHA256
ea274c4cbc9e5dab32b30dca4eb03ecb43d445c04ea99baccb54f6b63635d457

SHA512
f2171eef397f6ccc73f9414d0861db24fd950c365f34e3ae66247a4d41563bff60373cced95243ffbdd365684aa60ff58bd9c4e91412e4dce2c5e9c8993d45e0

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe 2.exe

Filesize
3.1MB

MD5
25262a771e56f803dd6d4e501d9e8197

SHA1
761e7274d3842dc72c59167b979d92bbb52a5b0f

SHA256
a79c77aff04d8116021a5090240ac32b6aa2a0d55a9d25a7bcb9755614781573

SHA512
a8821f31f151ac6d552b6389ce9f7e40d21723de77b7c9a462840aaa213cf883461cce0c29cb3de74cf9e107436274bb8e791e6babb17cee5d21092f53c73b30

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Profiles\Default.xml

Filesize
1022B

MD5
948b5820419f750d4e39bd295fb5033f

SHA1
11e0c7f309b8b5df0e3c4d88136040eb09214d4a

SHA256
f2a5f8acaf5fbe18f01b5a7b68d73ade506546d67342337387c980359b007136

SHA512
c9e06508b644bee47eb277ceeb336853f58f5095a9275b93793f02a88618fa2f07445b78c1da05c95f8a6c7a3b9a076f9eba02f4112662b102e67f664f2111ca

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe 2.exe

Filesize
3.1MB

MD5
8e6c6bb750ae2b9178fb90ece1dd820f

SHA1
6bcc053e9becc7eeddeae6be7b9fbcb8637b2bc8

SHA256
7a35fd590b402427e546ac6689b595d3b7ebea7d2204567d6e9624e3d4bf637b

SHA512
2cc6276f0f904607de19cebd50f7e47671a117e3ff3e72147f8f35a6e6fd0e515271785b56f8e9467d6d5366cce464551df20f505be20021fa247b5f64573501

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12

Filesize
4KB

MD5
47656fab554a0d07a28469c1d98d7df0

SHA1
cdc5a15cd563d4876783052fdd00d6e3bea384c5

SHA256
2f71f610a1f05ede2961bca86f71641846826b378931401c51623df38f405c5a

SHA512
96d3f3d36123f6fbda4455c94c32190db7c039aff568e23371f2df8f7d4b70fb78eff73e0d694bbcb9df713abd23331c4b4e202d56975a7c18848fcf57cebb12

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml

Filesize
373B

MD5
b6af1da05c1a00991f04f8b898cea532

SHA1
24c48b062d8d864eefd32f2d84a36e1a7282e911

SHA256
f2ef0d8f29904a65ce6dbe29baf9379fb4659afb6930a5af5d9fb88f73b73f41

SHA512
2ab2de469911c3fee5b9bbfdbb373e5eb15023bf25b9e1835ebbf5890c66cfd7a06d7d5911e2fb630afadf9b30489e589634cefe52ca4c4156ae24b24c00c8aa

Download Submit
C:\Users\Admin\Downloads\dff3da24-724e-4bfd-a4c7-d667dcee57cc.tmp

Filesize
31KB

MD5
2593550450c45ee3eda593f5ab5a01b4

SHA1
e7a6a5be15fee6a565a570ed69486edc8d3175bb

SHA256
4c721ebe66d236f93cc48703ba9c54559b8d875658f60449b98585f1c32244a1

SHA512
0bee8c15fd969a37b601a0f397483d99e02c99b49d5815bfcde0657dbcc7da47c1e908c577b73129381ecbd38d96fba7acc89866e82f587247a79a6cab026561

Download Submit
memory/296-1618-0x0000000001380000-0x00000000016A4000-memory.dmp

Filesize
3.1MB

Download
memory/460-1294-0x00000000012E0000-0x0000000001604000-memory.dmp

Filesize
3.1MB

Download
memory/572-1134-0x00000000003D0000-0x00000000006F4000-memory.dmp

Filesize
3.1MB

Download
memory/648-1371-0x00000000001B0000-0x00000000004D4000-memory.dmp

Filesize
3.1MB

Download
memory/672-1091-0x0000000000BE0000-0x0000000000F04000-memory.dmp

Filesize
3.1MB

Download
memory/1004-1345-0x0000000000BC0000-0x0000000000EE4000-memory.dmp

Filesize
3.1MB

Download
memory/1044-1482-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/1108-1499-0x00000000011A0000-0x00000000014C4000-memory.dmp

Filesize
3.1MB

Download
memory/1160-1296-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download
memory/1160-1300-0x000000001CD70000-0x000000001CDBC000-memory.dmp

Filesize
304KB

Download
memory/1160-1585-0x000000001B590000-0x000000001B5AA000-memory.dmp

Filesize
104KB

Download
memory/1160-1584-0x000000001E700000-0x000000001E75E000-memory.dmp

Filesize
376KB

Download
memory/1160-1299-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1160-1295-0x00000000012E0000-0x0000000001418000-memory.dmp

Filesize
1.2MB

Download
memory/1192-1272-0x0000000000BC0000-0x0000000000EE4000-memory.dmp

Filesize
3.1MB

Download
memory/1268-1327-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/1340-1432-0x0000000000C80000-0x0000000000FA4000-memory.dmp

Filesize
3.1MB

Download
memory/1548-1023-0x0000000001370000-0x0000000001694000-memory.dmp

Filesize
3.1MB

Download
memory/1720-1271-0x000007FEF3730000-0x000007FEF411C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-843-0x000000001F300000-0x000000001F62E000-memory.dmp

Filesize
3.2MB

Download
memory/1720-834-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/1720-835-0x000007FEF3730000-0x000007FEF411C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-877-0x000000001EE40000-0x000000001EE8C000-memory.dmp

Filesize
304KB

Download
memory/1720-882-0x0000000021A30000-0x0000000021A8E000-memory.dmp

Filesize
376KB

Download
memory/1720-850-0x000007FEF3730000-0x000007FEF411C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-849-0x000007FEF3733000-0x000007FEF3734000-memory.dmp

Filesize
4KB

Download
memory/1720-826-0x0000000000850000-0x0000000000988000-memory.dmp

Filesize
1.2MB

Download
memory/1720-876-0x000000001C820000-0x000000001C838000-memory.dmp

Filesize
96KB

Download
memory/1720-825-0x000007FEF3733000-0x000007FEF3734000-memory.dmp

Filesize
4KB

Download
memory/1720-883-0x000000001F070000-0x000000001F08A000-memory.dmp

Filesize
104KB

Download
memory/1724-1120-0x0000000001040000-0x0000000001364000-memory.dmp

Filesize
3.1MB

Download
memory/1780-1273-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download
memory/1920-1102-0x0000000000060000-0x0000000000384000-memory.dmp

Filesize
3.1MB

Download
memory/1952-1362-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/1964-1248-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/2140-1282-0x00000000012F0000-0x0000000001614000-memory.dmp

Filesize
3.1MB

Download
memory/2148-165-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2148-153-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2148-123-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2148-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2148-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2148-152-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2148-140-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2148-1-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2148-139-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2148-16-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2148-164-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2148-156-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2164-1406-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/2244-1574-0x0000000001290000-0x00000000015B4000-memory.dmp

Filesize
3.1MB

Download
memory/2300-1388-0x0000000001030000-0x0000000001354000-memory.dmp

Filesize
3.1MB

Download
memory/2356-1079-0x00000000013D0000-0x00000000016F4000-memory.dmp

Filesize
3.1MB

Download
memory/2444-1415-0x0000000000340000-0x0000000000664000-memory.dmp

Filesize
3.1MB

Download
memory/2492-1583-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/2612-914-0x0000000000110000-0x0000000000434000-memory.dmp

Filesize
3.1MB

Download
memory/2620-1600-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/2620-1449-0x0000000000EB0000-0x00000000011D4000-memory.dmp

Filesize
3.1MB

Download
memory/2636-1540-0x0000000001360000-0x0000000001684000-memory.dmp

Filesize
3.1MB

Download
memory/2684-1309-0x0000000001300000-0x0000000001624000-memory.dmp

Filesize
3.1MB

Download
memory/2748-878-0x0000000003A90000-0x0000000003AA0000-memory.dmp

Filesize
64KB

Download
memory/2760-902-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/2784-1061-0x0000000000ED0000-0x00000000011F4000-memory.dmp

Filesize
3.1MB

Download
memory/2788-1115-0x00000000010D0000-0x00000000013F4000-memory.dmp

Filesize
3.1MB

Download
memory/2856-1318-0x0000000000280000-0x00000000005A4000-memory.dmp

Filesize
3.1MB

Download
memory/2880-1285-0x00000000009E0000-0x0000000000D04000-memory.dmp

Filesize
3.1MB

Download
memory/2932-1336-0x0000000000E80000-0x00000000011A4000-memory.dmp

Filesize
3.1MB

Download
memory/3004-1228-0x0000000000380000-0x00000000006A4000-memory.dmp

Filesize
3.1MB

Download
memory/3024-1609-0x00000000009B0000-0x0000000000CD4000-memory.dmp

Filesize
3.1MB

Download
memory/3028-1041-0x0000000000880000-0x0000000000BA4000-memory.dmp

Filesize
3.1MB

Download
memory/3056-1397-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download