quasar | 39f2d587186436107497b0f2abf4fc221e2fd08a4d8cde88884bef136cab9e3b

Analysis

max time kernel
300s
max time network
287s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-01-2025 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quasar v1.4.1.zip
Size

17.1MB
MD5

f6a70eeefd9e2b68fa66b9a50f2487bc
SHA1

e28b98c3026fa0ede19019b044ca4fd2a3a3c9c6
SHA256

39f2d587186436107497b0f2abf4fc221e2fd08a4d8cde88884bef136cab9e3b
SHA512

d94796608409d03279cdf1acc6bc610f0c2d7b7f95873404f97117a49cccc30df58f9bf69b780cb0e004748321e82ce1c3ccccbb7b5c69261bb2b7b7e2b5954a
SSDEEP

393216:2EiYksB+KVcnDt90HIOMv/uMQwHLuQ8oSmwPcKf87YbhscmPQ:8YR+3PfpX81PPnqPQ

Score

10^/10

quasar xmrig discovery evasion execution miner persistence spyware trojan upx

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ad38-970.dat	family_quasar
behavioral1/memory/3888-985-0x000002551D750000-0x000002551D888000-memory.dmp	family_quasar
behavioral1/memory/2072-1603-0x00000215B5FB0000-0x00000215B5FC6000-memory.dmp	family_quasar

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/4792-2191-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4792-2189-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4792-2190-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4792-2188-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4792-2186-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4792-2185-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4792-2192-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4792-2193-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4792-2194-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2900	powershell.exe
956	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 4 IoCs

pid	Process
4440	Quasar.exe
3888	Quasar.exe
2552	setup.exe
2056	gpdauwhxnfbl.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
36	portmap.io
37	portmap.io
38	portmap.io
39	portmap.io
40	portmap.io
41	portmap.io
1	portmap.io

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2420	powercfg.exe
3028	powercfg.exe
4176	powercfg.exe
600	powercfg.exe
2844	powercfg.exe
1196	powercfg.exe
1932	powercfg.exe
3748	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	setup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	gpdauwhxnfbl.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 4424	2056	gpdauwhxnfbl.exe	156
PID 2056 set thread context of 4792	2056	gpdauwhxnfbl.exe	162

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4792-2180-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2182-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2181-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2191-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2189-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2190-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2188-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2186-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2185-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2184-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2183-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2192-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2193-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4792-2194-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
556	sc.exe
4816	sc.exe
3620	sc.exe
3408	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quasar.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133816428242274333"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\MRUListEx = 00000000ffffffff	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = 00000000ffffffff	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0 = 6600310000000000325a211810005155415341527e312e3100004c0009000400efbe325a2118325a21182e00000009a7020000000200000000000000000000000000000020e4d2005100750061007300610072002000760031002e0034002e00310000001a000000	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\MRUListEx = 00000000ffffffff	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0\NodeSlot = "6"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 19002f433a5c000000000000000000000000000000000000000000	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0 = 6600310000000000325a211810005155415341527e312e3100004c0009000400efbe325a2118325a21182e00000003a70200000003000000000000000000000000000000f1e2f1005100750061007300610072002e00760031002e0034002e00310000001a000000	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 = 78003100000000004759855e1100557365727300640009000400efbec5522d60325a77172e0000006c0500000000010000000000000000003a0000000000753f7d0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 = 500031000000000047599066100041646d696e003c0009000400efbe4759855e325a77172e0000002c570200000001000000000000000000000000000000fbcf7c00410064006d0069006e00000014000000	Quasar.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1336	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
1528	chrome.exe
1528	chrome.exe
880	chrome.exe
880	chrome.exe
880	chrome.exe
880	chrome.exe
2552	setup.exe
2900	powershell.exe
2900	powershell.exe
2552	setup.exe
2552	setup.exe
2552	setup.exe
2552	setup.exe
2552	setup.exe
2552	setup.exe
2552	setup.exe
2552	setup.exe
2552	setup.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
2056	gpdauwhxnfbl.exe
956	powershell.exe
956	powershell.exe
2056	gpdauwhxnfbl.exe
2056	gpdauwhxnfbl.exe
2056	gpdauwhxnfbl.exe
2056	gpdauwhxnfbl.exe
2056	gpdauwhxnfbl.exe
2056	gpdauwhxnfbl.exe
2056	gpdauwhxnfbl.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3492	7zFM.exe
2072	Quasar.exe
1336	explorer.exe
2120	Quasar.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3492	7zFM.exe
Token: 35	3492	7zFM.exe
Token: SeSecurityPrivilege	3492	7zFM.exe
Token: SeSecurityPrivilege	3492	7zFM.exe
Token: SeDebugPrivilege	3888	Quasar.exe
Token: SeSecurityPrivilege	3492	7zFM.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
3492	7zFM.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
2072	Quasar.exe
2072	Quasar.exe
2120	Quasar.exe
2120	Quasar.exe
1528	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
2072	Quasar.exe
2072	Quasar.exe
2120	Quasar.exe
2120	Quasar.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4440	Quasar.exe
2072	Quasar.exe
1336	explorer.exe
1336	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4440	3492	7zFM.exe	77
PID 3492 wrote to memory of 4440	3492	7zFM.exe	77
PID 3492 wrote to memory of 4440	3492	7zFM.exe	77
PID 4440 wrote to memory of 3888	4440	Quasar.exe	80
PID 4440 wrote to memory of 3888	4440	Quasar.exe	80
PID 4440 wrote to memory of 2552	4440	Quasar.exe	81
PID 4440 wrote to memory of 2552	4440	Quasar.exe	81
PID 3492 wrote to memory of 1104	3492	7zFM.exe	85
PID 3492 wrote to memory of 1104	3492	7zFM.exe	85
PID 1528 wrote to memory of 1720	1528	chrome.exe	87
PID 1528 wrote to memory of 1720	1528	chrome.exe	87
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2096	1528	chrome.exe	88
PID 1528 wrote to memory of 2912	1528	chrome.exe	89
PID 1528 wrote to memory of 2912	1528	chrome.exe	89
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90
PID 1528 wrote to memory of 4872	1528	chrome.exe	90

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\7zO4AD4F0D7\Quasar.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4AD4F0D7\Quasar.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\Quasar.exe
    "C:\Users\Admin\AppData\Local\Temp\Quasar.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3888
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2552
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:720
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4308
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:600
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:1932
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:1196
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:2844
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "ZXOXMMTR"
      4⤵
      Launches sc.exe
      PID:3408
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "ZXOXMMTR" binpath= "C:\ProgramData\xawfhmkyynwa\gpdauwhxnfbl.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:556
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4816
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "ZXOXMMTR"
      4⤵
      Launches sc.exe
      PID:3620
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4AD33187\IF QUASAR DOES NOT OPEN.txt
  2⤵
  PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff98069cc40,0x7ff98069cc4c,0x7ff98069cc58
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2016,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:3
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3536,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4252 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5044,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5052,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:2
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5372,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3368,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3356,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3084,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5480,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5112,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5200,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5804,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5840,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5860,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6060,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6300,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6496,i,7141904508435255663,5833589373841819389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:4768

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4796

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2072
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
  2⤵
  PID:1840

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1336
- C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
  "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2120

C:\ProgramData\xawfhmkyynwa\gpdauwhxnfbl.exe
C:\ProgramData\xawfhmkyynwa\gpdauwhxnfbl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2056
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1028
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1396
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3748
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4176
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3028
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2420
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4424
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
73f089dfe52d129ca8c52c3e33618294

SHA1
bdd1e52a4bb61056be2ff915a7c17b478590f80b

SHA256
d5ed3ff4012a058e64206bfeaa1d54f23296ef71720cc5dd65cdd45a0a6c1c01

SHA512
94acc780ff2786be63605ee6a335f793de8e7a1293cc4214956ad9f01a117ca9098ecd74724f203d81a24c06ff29880b0d91c3c2d4ed3ebb665e3a66dfd9ee96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
94KB

MD5
c07f2267a050732b752cc3e7a06850ac

SHA1
220dad6750fba4898e10b8d9b78ca46f4f774544

SHA256
69a3831c082fc105b56c53865cc797fa90b83d920fb2f9f6875b00ad83a18174

SHA512
9b1d0bf71b3e4798c543a3a805b4bda0e7dd3f2ca6417b2b4808c9f2b9dcb82c40f453cfae5ac2c6bafc5f0a3e376e3a8ce807b483c1474785eb5390b8f4a80e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
43KB

MD5
0ca771b2c6d554021dcc1c01cdc77ef6

SHA1
fad10c3c1c72899dbe1a3a9ecb011fbef9f0ba81

SHA256
18cb1c9a336ce8c6d9bd71b61d18cfdcca5d386997bf4efc491807eccef6dcc7

SHA512
d709e1051b40f8f386540d324449364650db24476436f32e4411a34f5142239c179a98901d9583201f0ca4034158cfc62923c380203fec74eb008160bfbd3f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000030

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0d5eb51895135fea918b62a6dbdea57a

SHA1
b51c57ab4fb31c382dffbff7aaa57150dacf8573

SHA256
16c87837a0b22d42d951b8ed6bc80080a70b3ba619e4dcbd8cab37ffb9ab813b

SHA512
02062a18cadb7fce44393ca1dce2b56c6e077e597d8839b5629a995a657934c9f4a4d80accc1354e5fa889895e67454b0afe4871a4da225385290727a7f07218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0d97706165069fd12c11f1e65060c6aa

SHA1
18dbad63708abd5a5cbfa7fb69c80d3cfdfa8d98

SHA256
5c86b81ca5fe0658431ab15b06bb3650b8a4dde470d32de07757ce4b78d04ce6

SHA512
947e232b78a00782bee6d7c93b3b403f0866860095b066558a0cf916b823b74e220b6d5185dcd5c9b66c95ac86560fb10e72788ee371ebe88b08ddc11fbaab27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
d9d54c540aa1cf93438665543d27ee97

SHA1
815447175b67ba7f5396e3f23cf434553d96a530

SHA256
1c623f4264c4fe1758db53818a6e05d73db28085bdfdc892cbc963e49a5b4dbc

SHA512
f1fc45b84b9c53957670db81017c1aa901903edb330913813e54b6f981b904c2a6f5a1693be0d41403ecb1ed76bdd3bf67bc61e03894e549e60610054927a4a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
0ec25daf453cba5023032ae55ae355bb

SHA1
e2da01befb57f8e8403ab7534a6f739a5f2c2857

SHA256
202ba2eefda34f2537acdae35717a4ec28214e5ab6a34c0ed5a9908d3174804a

SHA512
1ff7749a33ff1993d27774c5ca4692f94458518e34ff475b8732589ed4e808c0e354de16f6fe689103955bea7807d0dd6000bb53f7673658bf0cbfbad4bd7ef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7a1be3008f36ace13776b6737a0cf059

SHA1
644b19931f267c828f433e8615d7d3172d657f62

SHA256
15b7df177287020bd06c52df6d25907ad6e1b6ab7d04f10f38aacf6cb4308497

SHA512
6268dcdb49355cd6909661addf6a2b0fb4c19fa1f7c5becfc346678d584c451fcb7accff7a9eaf98d3c41149d24557b3e2e9c3e1fd6d1c583b82ccb1c4dc210e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7c60dfdcb0f487e4067a486ee22f4117

SHA1
131e573e4800f36cda013c32da79edddcf3951f7

SHA256
361fa0ddb36b9142e3afeaa32c5b6abcc2904fa10cf867a8b311763311c925c6

SHA512
82fc37c4a6ed4473471014e1939d47a037f3969a93db6b97774862ac98584b78b4d0a0012209415af75459fa9f6dbb6af06c75aa1582dd98910ee1bcef161248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c92bf0468289f41658c752e33b3b7ee8

SHA1
66422e1461382f4e1ffaff2a4b4f2f1158eed491

SHA256
122756d9524e318795bcebb4c8cd035c8cf68c17ab8edf229b97b4135991a865

SHA512
2e8d9062f8384cbd71720e3440d3f82676c099bb12b3877314b7561fe6e252a49ff38c2b5245d16c7dde25814e5cad4611f65a76de841f7637a54811081e3c74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
dc86aa32847601358d7bfe841aaa7e15

SHA1
e63f2387f139ea3e848ea564cb208a2b28b403c7

SHA256
e65fa9c052a1ae2225f56ca348e7cf2e73d8c5c8ea095a8106c1a773d28f2f3e

SHA512
dc5e6a374daa835ab0ac962db5b8f7b7b4aacd378b1e4f3e461f030a2bc5b7377da85f87ca4032c4ecdde9feb84e2f7ded7453420e753b00a6b44069ddea4165

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3b9083b8ae2cbce99e0a18ceb29eaa09

SHA1
534bb095e10ff155bac9838b27ed7f34d1f49d70

SHA256
ad99f4eeb725d3516f654ccb6970b2a062bb04b9992b62cdd9c1153dfcba2fec

SHA512
f3c8f06713a7d92c2d5c2f279a510ee68fac1ae1a0b931cc9535be6b881e2492f68a5b79424bd8eddf570434317c00bc9914f922eee2cac0bcd6d7b539a9d0d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ba1f9c84b0b4eb13234e4c0711bb14e1

SHA1
4b2020f3a8342a4b6ef981dde7a9ca7a89e91393

SHA256
f27fc37f6ea7416801b98928a59cf713f33c8548243df3e276340595846bedd8

SHA512
41909422eb5a80782ad393fbcd98b03364f89faef80ded427ed557d771cfb9cfd1dca83a048dc9d09af4c1dc538bbbf171bd4436553436dd6bed18c4fd6d899c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ee746f1577eb008dff7ab0234b3db564

SHA1
78f722f5ca7b70e8c0e244d80616a5a4b7d3c966

SHA256
7cb20bae181b2e33eaa16b6eff8959e222afe7d90bfca0c1daf621b58c6c9d34

SHA512
07894b79a936e7f2073e09cbd60938e52b687fdfa86f0bc9c1259e31d6c3d291fc5c67f3d9a8ee18c6e7b530779095110e57d739bf33428857b6ef152fb022fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
22d3c811a0ef640722fb9902e3e7dc95

SHA1
44ca26368af08c8345cfd664e5fb868333887b30

SHA256
20d1e79abe5dc4fde111122ba82189bb497b7850ae55be00ec48f1585e3d0f53

SHA512
3b67671b687170517e58e35f5256bf0fb93d022732c4c90f7fd5ef0fb36eb59f7e8ff1660d66aaed8bd5195e2796517759d4fc6d5181c6639aaccecffb91deb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e8b36b0e674db7c6ef0f817e6ea91354

SHA1
7ab3388eb938e89727b967513e47850ad6ce4eb5

SHA256
572517f4dfd4f0e67fcf2587894e12b56ae4e73bd979ec9ea89bb7e0e221f822

SHA512
e2b938f57b2f3495e6c7a3abe41265252586498faef254667c763a4b229cc922f889f746a75389fa8dd09189c51de7fe04f0d5f9a74fbaad1ac965cb54a12f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
44fd8308dd6821926b62419299f239df

SHA1
1c397831d72f23d0ea9d1f74a3ea8bf5ceaccfdf

SHA256
9050ef0e57b572c5023df943abe21c69376a292c1f348cdcdc880dd63374ab0d

SHA512
7270c7a609a9a46626239be5b058c1a185cc682be9b579a131bb90dc9dbdb450122756ba487417c731e382c96cb849596217111c57643a25b064da6308a0d1d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f11d860aa6f4ab63ba55bb726c5a5b96

SHA1
1313f1daa2d0e8ed785c458468e8486f7a9b2db8

SHA256
7ea0faa1765d358c51db954149e6a6c865d516489c7c9bbdcc482fa9af726031

SHA512
f35a6680d7e66cf84c28cd2a92ebe5e99780e55794901fcd70594808ff9a832e045ebf930297ebdf82aea326e14b7ed4b8904c18363af7af00dbbba4721dd8ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b4fd79514a774df03ac75f57eaf0f661

SHA1
418db92a2adc882eec576989cf408095e38b63dd

SHA256
c23c7bb5f740b4764ef3cf6045f497e15cf5bc909381de137df2e30985b5d58e

SHA512
3e71e149e08b5894e3dee980a2e4b3ba5bbdb91da6138f4f7b805afc54d23d4051183c157ae7ab09ced50d1d5d07df44058e2d993df360a5083a839e157a6d96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
325d2c68900d21398d8b20033d866ffb

SHA1
1adf457d20fd35912bdf9a3e8cc9e1b73fc1a22f

SHA256
c57c27f0b4edfd226e8896a23a261f7129f1971e08105ee7121b884ecd6787fb

SHA512
feb42c0d71f3073be0373210fb442ac618340f218f3d515c90dd1cf9263228e48419d3bdeab6da2be6db8b94681adabf4d180ccff04dff1c631aba5a00042d29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
278dc3915a1f632cdcf366c2c20d20d9

SHA1
ca50dc7114945247d6b304be8a5c9340983b5ea3

SHA256
e238db1ec7b8c07f7b3901f29af3fa4c41819392b27a49a9ec1b47a7da456a8d

SHA512
e8486dbbda0c57ab470176f48d8184e4b8c31c34f7e2926c24be131e1bd90761c398d37bdc01f79953a1b7d8e4ad9096fc8744e1d87464167704f656dd6ed850

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
015454e8027bd03f1d52274a77fdc3da

SHA1
6bc8e1905859be74cedc406cf13dde380d2a6ba0

SHA256
343f1f439bf6c17414e10f00e1a8c19afcfa9cf9c148378bd2f8293c1fe756c3

SHA512
ad3dbfe089a41496d8e53cefa4d07df3465a9764c81d8a7766237a2a418598aa9d22f5f6da19b58bc8349390bd7ce3b7d7ad88ee1d612fd6d24bc9c5941a024e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
761fed1cbf60f7f4cbb7ce4b981d196f

SHA1
e3a1856ecfe06b7b9d8831221917428e6b829b48

SHA256
3dd0bfde9518c4f56ecbeb51ecdfe44f01a3ac7f4ff4249de904cae388652e0f

SHA512
a94d2edcafe42cedf4851e8a75492e9bca55c715dd6034ee1f985e31fd596f9431f44501fc5f9568a728f9f6abe479f9ba056e1f9e920d284e6c2e0021374f05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
72003395020ce6a55d15237d010a9088

SHA1
62ea355d2b00486e055e7ec364def6a5f13de530

SHA256
c1321b48bcfe24581e905b2f0261adc73f2d34e683604a5474223cb834b2b632

SHA512
ac14c521d310a68342d588981c57735b6514376f92a94c25eca4063c995b64a8bc9b0db8bf4b7276637ef89dca1818b48ea74981d7eecf33e89b02497282bf06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d46779b773ffa8369ff6e5aec792d65c

SHA1
cd48b1dafbb609f120adaf1f5edf73f82b02fcb4

SHA256
6ee3ac9df184d756b78a94b9a2a1c88dac4d44b67d4d5f39cc08348290d09c93

SHA512
aa656c391ef51e8af06b858317063d3e9a893113441363543b46ae31e655186bb775e125d9375a0fcecf0b6bc89c514565627da23babb14db00a99abefaf3985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22880907abb3e27c8e292743e90e80d7

SHA1
39ebfafb96ae071de33abeefaf7cdc73e1520f31

SHA256
dc73b1b117dea01bca9a19cf8a073fb38174e81ac7f9f649cdbdc8043bc1feb8

SHA512
3df7b1126d888d20cf1fe404c87c2fe156b05dcd9710d0b33be0fdd08d8140629cee41f5392e4a39c759fb1f5048f754dde56e28f6a0f684f35cc3e853b709de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ebf3018768cbdf7c87db8f752dabd6ad

SHA1
d7955e3182d3251a048b32261f4e47071a906ad0

SHA256
8019d41f270d0778fc562e9eb1456a60b11d4363a583bba65563cd13d641e363

SHA512
7883d810f58b649bdb1138d36df9127fa309f4ace277d08efdd4fed53c62603ad96511bfae9e7da8691033c9607147119970324631602ffa7fa3cc766ede4d8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8bbe6930c823e02c73b41d91f8de0145

SHA1
25b82c98ed75ddea1ad1b4ad91f3f9b9a2696638

SHA256
b8ebbeb9b71fc05b7dbbccdd28756419d4b9a75381b828c3eeaf39f0cb2dcdb9

SHA512
b967630ccf1daf48b2cc1190f1cd9ad2037260e6b53079f99b530bb68454ea68c70826270def2ffa9bc14447d560ae0bb11103de61888725ac5e78af8105c650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
9966437d5ddd0d27f149562141d36d94

SHA1
285aad46f040db9547e9795d5f4edafb09758e41

SHA256
81cab9b8af2cf5f377093c0b1029cb45c4dbb40ae490bcab7abeb02ef3cbcde6

SHA512
d978aa3b8403544ba839e108d116727561612e2c6ab0ab4fa2bec4915ee6af9dc3d4b7c48287c8c15e7286b8dbdeb4391d0f45e40b7b73593c311b64ddce62dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
5f316f39fb09144933a8a6c649c04a82

SHA1
abd44f581d5ec145d20d58e00dce26d1429ef911

SHA256
3d060894dd6b8bf029451f5a4feb78b334524c9f3c49aca146646d7133ea3917

SHA512
a32ad5b0662bb5054e1074b082a41dfdcd38fdf463bfd9e5b8db1c56b93ea580e3d72e5e3bf23f780d97dafb631d133c7cb1b53b8d6f4728c3973fc84b8da6ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
c99cec8f22fbd2cfa6095b4507df22ce

SHA1
ce884f9dd4a51b2d2eeb4d8c6b6a4ecde3ab1e3a

SHA256
c54bc6faa3c8fdf8bbff1c101b5998ad8a4642a95c02ff3010eee380972ad0a9

SHA512
ad453168720b4ee8ed88bce4f22a459d4bfbfadbfd653dda36dc155e9ecf7d2e924712bd52d7252b4b92af93bff28ce2c79b715565df8eb7dfe3ee6f67817959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
6080d5879cac8abd749e151ed038c476

SHA1
786085547558f2e6f2f1ced292a023bcf692a06f

SHA256
cc1d16acac2c9ee6046425a5dd08320294a825bb50b1ec6f31c6e7e30894026f

SHA512
8efb7f5baf1402be7ef3b863063d458617444bb59d53b622db3334bcd932703d66af3896c956fd1bf9616cc11584153205666538bf59f0e8ae0d7885cd86befd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Quasar.exe.log

Filesize
2KB

MD5
b5d1a98d44ffe5e708bf62b61afc9bd4

SHA1
b3e54fbad74b8aa7703bbbcdb147b1dedd8064c3

SHA256
be46ba97803c1398f5096424d8adf22b1395294e1d64f511e8ec25ebf422389a

SHA512
8471841232c45743a2d06593698f85f036b8435c7110edbee9b9ee1a78882073dc03239f7862950dcfd502fabc0c748e7dc8400baa0ab06e3a7fe37ab92e7406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
5964c116d7dc4cea1e2585cb8abf0e86

SHA1
422e43e868d12c6a731e844fb9d7e28230cb0dc5

SHA256
2cec444595dd1b5fcef137aa09d24027eea5a3b097357d5389b5a23ed9974e7c

SHA512
eca05cab3a7e898ca3bda809ac499c50b6e647952b6c92dbfde9b3e1e2d0ea94f0f8f433026f087f7b98eaec340dabbf1f17ffb7f471291b5ff0c35ee3acbf13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
d50e697822f2ca4838c89cbcb4b9e15c

SHA1
f646f76ea738796df749483e007039620108f17a

SHA256
30dc194d9b1babd11b4ca3a29f25eacd89d0f83a7fb34c864f56a4ef9d97d34e

SHA512
0c9b4415329f4b02485283db8831614434dd3cba9956d852909b50e3621abde20b2edd3328d463fc9c3194083f7810e514aa37f30571a0b94b53a4952f6bc7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4AD33187\IF QUASAR DOES NOT OPEN.txt

Filesize
474B

MD5
5c5b3659a84b0a078b8365daba6eabdc

SHA1
9ea19ef8f6f11f23c7630e1c1489c9239cb247da

SHA256
0e60b931504d0af91ba025bd38bc1037efeb55b01b218a5ae138956933c07fbd

SHA512
e43a3d03ae08e2bbbc7898b09d4b631843db3f33fcca03e7d9cad8fe22734887e99492ae40955e8c8364e5cf408b1dc82505f8841c88be74bf0b356e53462925

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4AD4F0D7\Quasar.exe

Filesize
6.5MB

MD5
f1d52bcd7463881c5e6af7bc9b759c62

SHA1
fed9f96e45609e4101fda4af2edcfd21d4b3cbd0

SHA256
d585cfe1f687209b4ae0f1ed91071016df0502c761721a8266911a1db05522f5

SHA512
a269f648e7b00e2c5da11d32be1936b81a47ed91c35158c291f38a13558e5fffde4e2674d9c08737645884031c71da1ebec7c61a41bd711b354e19b7a406179e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quasar.exe

Filesize
1.2MB

MD5
12ebf922aa80d13f8887e4c8c5e7be83

SHA1
7f87a80513e13efd45175e8f2511c2cd17ff51e8

SHA256
43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

SHA512
fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqwopiyc.dxw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1528_1372866401\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1528_1372866401\bb0a5bec-328f-4d36-88e9-01d5d2add094.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
5.3MB

MD5
f4d806564a06c220889b761500d5614c

SHA1
d0f17d434b5dfcb1a5fb1eabde275978f71bed8c

SHA256
b30585d6a27ca4adc8ea11c567449b7f7612e6871ae42911b4885a828ad43df7

SHA512
26b757a027b04ebb1f259a14285bbedb215fb0c931c07135cb9b66bcc457c0d26892745633f1bf3c494de245fd3ed9aacc4b4a54d6fd1cb8ddc12f500bfb0d43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3870231897-2573482396-1083937135-1000\546128ec1fd053df504d7233d443ab65_27b06f29-58d3-4ff3-b1fc-f519e4e4f0ec

Filesize
3KB

MD5
8a85ece248c913434c776e2f6cd605b9

SHA1
183d269716efe746b3cce4af67575ce74e2edbc7

SHA256
ae688873b4937b0216fbfc38108d35e699c94891a53cc9533581f95449987b0c

SHA512
4344e4e58622932f0b81ca690fae33939ee3ba66550d834c4a3e14c98ea89c402c61b60e6b5eb97dd2ed873ec4a4e12e892b8d373b0ac41d788a2251348a9654

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip.crdownload

Filesize
3.3MB

MD5
13aa4bf4f5ed1ac503c69470b1ede5c1

SHA1
c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

SHA256
4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

SHA512
767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12

Filesize
4KB

MD5
674694862c72ac05f29b068ca2d09d1f

SHA1
12ebac36dbc47ebf0e49c9be2cd658be76e04d14

SHA256
f775aca0f5c0fa0a535e1a189c20963bb53aa99dfd93e5d97fc5c358f6e24ee9

SHA512
10d19b11c02361c4314349fabdcf37110c31fdde5fed99dc226156f58bd5956bbb98ae79c439d3a36d67b025c817abc87dea6e8248e02b72950ddf61b315c63d

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml

Filesize
372B

MD5
53fd65acfd4628c232cb06a9bb786ee4

SHA1
982f941ab7a74c370d9c6e37d76e91532aab08a3

SHA256
9f4abc63d75d25c56c64d4e4aebaca21d30a0e26fd9cf399984098b42e0eca8f

SHA512
a86b30e9ba8432d70a61fb99ca9f1c7b92e67baae3d645428a84c918fd683457e78d57e273f304e49f9dcfe2d792ea8e87a5c2988ead7d3c1fc75e0c47bd1c64

Download Submit
memory/956-2166-0x000001DDF6970000-0x000001DDF698A000-memory.dmp

Filesize
104KB

Download
memory/956-2162-0x000001DDF6750000-0x000001DDF6803000-memory.dmp

Filesize
716KB

Download
memory/956-2167-0x000001DDF6920000-0x000001DDF6928000-memory.dmp

Filesize
32KB

Download
memory/956-2169-0x000001DDF6960000-0x000001DDF696A000-memory.dmp

Filesize
40KB

Download
memory/956-2165-0x000001DDF6910000-0x000001DDF691A000-memory.dmp

Filesize
40KB

Download
memory/956-2164-0x000001DDF6930000-0x000001DDF694C000-memory.dmp

Filesize
112KB

Download
memory/956-2168-0x000001DDF6950000-0x000001DDF6956000-memory.dmp

Filesize
24KB

Download
memory/956-2163-0x000001DDF6720000-0x000001DDF672A000-memory.dmp

Filesize
40KB

Download
memory/956-2161-0x000001DDF6730000-0x000001DDF674C000-memory.dmp

Filesize
112KB

Download
memory/2072-1659-0x00000215D2D90000-0x00000215D2DE0000-memory.dmp

Filesize
320KB

Download
memory/2072-1603-0x00000215B5FB0000-0x00000215B5FC6000-memory.dmp

Filesize
88KB

Download
memory/2072-1658-0x00000215D2670000-0x00000215D2688000-memory.dmp

Filesize
96KB

Download
memory/2072-1604-0x00000215D2A60000-0x00000215D2D8E000-memory.dmp

Filesize
3.2MB

Download
memory/2072-1660-0x00000215D2EA0000-0x00000215D2F52000-memory.dmp

Filesize
712KB

Download
memory/2072-1661-0x00000215D2DE0000-0x00000215D2E2C000-memory.dmp

Filesize
304KB

Download
memory/2900-2131-0x00000200DFC30000-0x00000200DFC52000-memory.dmp

Filesize
136KB

Download
memory/3888-985-0x000002551D750000-0x000002551D888000-memory.dmp

Filesize
1.2MB

Download
memory/4424-2176-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4424-2175-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4424-2174-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4424-2173-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4424-2172-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4424-2179-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4792-2182-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2188-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2181-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2187-0x0000000001060000-0x0000000001080000-memory.dmp

Filesize
128KB

Download
memory/4792-2191-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2189-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2190-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2180-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2186-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2185-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2184-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2183-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2192-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2193-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4792-2194-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download