quasar | c0dc1f716da2f042e2e3db7bbd10fc1a422ab9d6313fca58f402caa6ce2e09e0

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
29/01/2025, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

minecrafttexturepackinstaller.exe
Size

3.1MB
MD5

5e738b824f8fbf566922398d08f81911
SHA1

8da82c5bb9dd7dc27782e727bf80c8769c8c82d8
SHA256

c0dc1f716da2f042e2e3db7bbd10fc1a422ab9d6313fca58f402caa6ce2e09e0
SHA512

c8749a49652789a5cc27232787839dc8672aa7ae59f9c8079e3d75914b34ec045b5b2c9a7348036bb0c559761dcca6547a6066a8edac7d95406de2e8f42f75cd
SSDEEP

49152:3vDlL26AaNeWgPhlmVqvMQ7XSK6Cd1JuLoGdVTHHB72eh2NT:3v5L26AaNeWgPhlmVqkQ7XSK6Ce

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

aa:4782

Mutex

bcfefb6b-a2fb-4600-b3a8-5d05d874fcc8

Attributes

encryption_key
ED6DC4FB6E6BBD404877E1DEBD5E1DB5959BC5E7
install_name
minecrafttexturepackinstaller.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4780-1-0x0000000000650000-0x0000000000974000-memory.dmp	family_quasar
behavioral1/files/0x004b00000002aac0-6.dat	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
4968	minecrafttexturepackinstaller.exe
4884	minecrafttexturepackinstaller.exe
3176	minecrafttexturepackinstaller.exe
4784	minecrafttexturepackinstaller.exe
3120	minecrafttexturepackinstaller.exe
4380	minecrafttexturepackinstaller.exe
3176	minecrafttexturepackinstaller.exe
1188	minecrafttexturepackinstaller.exe
3660	minecrafttexturepackinstaller.exe
2572	minecrafttexturepackinstaller.exe
4888	minecrafttexturepackinstaller.exe
3376	minecrafttexturepackinstaller.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1592	PING.EXE
3564	PING.EXE
3056	PING.EXE
1056	PING.EXE
796	PING.EXE
3284	PING.EXE
3576	PING.EXE
3748	PING.EXE
3708	PING.EXE
4108	PING.EXE
3540	PING.EXE
1008	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133825950255931363"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1056	PING.EXE
796	PING.EXE
3708	PING.EXE
4108	PING.EXE
1592	PING.EXE
3056	PING.EXE
3284	PING.EXE
1008	PING.EXE
3576	PING.EXE
3748	PING.EXE
3564	PING.EXE
3540	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2088	schtasks.exe
2428	schtasks.exe
3684	schtasks.exe
5064	schtasks.exe
5012	schtasks.exe
4996	schtasks.exe
2884	schtasks.exe
2800	schtasks.exe
1432	schtasks.exe
3376	schtasks.exe
2620	schtasks.exe
4784	schtasks.exe
860	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1508	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4136	chrome.exe
4136	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	minecrafttexturepackinstaller.exe
Token: SeDebugPrivilege	4968	minecrafttexturepackinstaller.exe
Token: SeDebugPrivilege	4884	minecrafttexturepackinstaller.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeDebugPrivilege	3176	minecrafttexturepackinstaller.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeDebugPrivilege	4784	minecrafttexturepackinstaller.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4968	minecrafttexturepackinstaller.exe
4884	minecrafttexturepackinstaller.exe
3144	MiniSearchHost.exe
3176	minecrafttexturepackinstaller.exe
1508	POWERPNT.EXE
1508	POWERPNT.EXE
4784	minecrafttexturepackinstaller.exe
1508	POWERPNT.EXE
1508	POWERPNT.EXE
3120	minecrafttexturepackinstaller.exe
4380	minecrafttexturepackinstaller.exe
3176	minecrafttexturepackinstaller.exe
1188	minecrafttexturepackinstaller.exe
3660	minecrafttexturepackinstaller.exe
2572	minecrafttexturepackinstaller.exe
4888	minecrafttexturepackinstaller.exe
3376	minecrafttexturepackinstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 5012	4780	minecrafttexturepackinstaller.exe	77
PID 4780 wrote to memory of 5012	4780	minecrafttexturepackinstaller.exe	77
PID 4780 wrote to memory of 4968	4780	minecrafttexturepackinstaller.exe	79
PID 4780 wrote to memory of 4968	4780	minecrafttexturepackinstaller.exe	79
PID 4968 wrote to memory of 2088	4968	minecrafttexturepackinstaller.exe	80
PID 4968 wrote to memory of 2088	4968	minecrafttexturepackinstaller.exe	80
PID 4968 wrote to memory of 1380	4968	minecrafttexturepackinstaller.exe	82
PID 4968 wrote to memory of 1380	4968	minecrafttexturepackinstaller.exe	82
PID 1380 wrote to memory of 1340	1380	cmd.exe	84
PID 1380 wrote to memory of 1340	1380	cmd.exe	84
PID 1380 wrote to memory of 3576	1380	cmd.exe	85
PID 1380 wrote to memory of 3576	1380	cmd.exe	85
PID 1380 wrote to memory of 4884	1380	cmd.exe	86
PID 1380 wrote to memory of 4884	1380	cmd.exe	86
PID 4136 wrote to memory of 2808	4136	chrome.exe	90
PID 4136 wrote to memory of 2808	4136	chrome.exe	90
PID 4884 wrote to memory of 860	4884	minecrafttexturepackinstaller.exe	91
PID 4884 wrote to memory of 860	4884	minecrafttexturepackinstaller.exe	91
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 888	4136	chrome.exe	93
PID 4136 wrote to memory of 4788	4136	chrome.exe	94
PID 4136 wrote to memory of 4788	4136	chrome.exe	94
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95
PID 4136 wrote to memory of 2860	4136	chrome.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\minecrafttexturepackinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\minecrafttexturepackinstaller.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5012
- C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmLhorWdVsNu.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1340
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3576
  - - C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0LIq0ZXrzSqc.bat" "
        5⤵
        
        PID:3592
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2780
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3748
      - C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3176
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pnjt3NYOcfTv.bat" "
        7⤵
        
        PID:1956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3708
        
        C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YBMyOpzRoxIV.bat" "
        9⤵
        
        PID:5064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsgXpPeXaWpE.bat" "
        11⤵
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M0LQ9TlViYPN.bat" "
        13⤵
        
        PID:2256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3564
        
        C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3176
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CI6SIqktqPJW.bat" "
        15⤵
        
        PID:1956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3540
        
        C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3V0oiUw8YG3w.bat" "
        17⤵
        
        PID:4516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2gMC0wqUbObq.bat" "
        19⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v8vusmfjAQra.bat" "
        21⤵
        
        PID:4680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:796
        
        C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pD4RaBCbZL9g.bat" "
        23⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3284
        
        C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8R4A8XcVW9P1.bat" "
        25⤵
        
        PID:3540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84663cc40,0x7ff84663cc4c,0x7ff84663cc58
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1772,i,9499819562923417266,15005969857805147294,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,9499819562923417266,15005969857805147294,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,9499819562923417266,15005969857805147294,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,9499819562923417266,15005969857805147294,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,9499819562923417266,15005969857805147294,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,9499819562923417266,15005969857805147294,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,9499819562923417266,15005969857805147294,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,9499819562923417266,15005969857805147294,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5036,i,9499819562923417266,15005969857805147294,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2380

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2080

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\EditSync.odp" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0dc822b9bfbe0944f90adf770177bce6

SHA1
7a575ccede9c2c6df75255c78fa215064cdfb985

SHA256
fe277ce0fa747311e02211378e4add84d6601078a9fb399c93cfd6e593064aee

SHA512
80e96b5617a3664166aed047a639a556a8fd47d75e128c0cffb0485ab3808713e1bba1bf3e508fdb7b0eb2233b701d95da5eb645ddfb50151650b2913805132a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\21ed0fa0-9a6f-416d-836a-70049a0ec61f.tmp

Filesize
356B

MD5
95ca306367a6d7a7add29525ee5a4f6d

SHA1
a7b3abdc8eac47e7b088a098548c1e84ca768d51

SHA256
f77c90b4900bda64f05439d6dd857c7900e30a9b3501248f0431967fea88920b

SHA512
5ea8efa3584aff3fb14cd86a0aad10eb096d8597cf1cbaf4ec9b789e5b0c060826c0175ebfac20326fdcb6048c9c87338fc88ca408fc310653cc91bff73411ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9c9ca92e5b096dc386fb27bafc4b0676

SHA1
571a0998315760c0dae968878f929c74e38b7182

SHA256
7dd312c0a1f7a6e796177952c31447cb4ba029467c3f2d6cb8cadab196127ab1

SHA512
0c33ac7388020123a518ff4a9d116318995eca62a91a474313a174c739f29300d81481fc35d3635fd4538a28bbf7d2f553a300a23db6590628a20b6ada2b92e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c2b2f4646857295f036a8e06a57128b2

SHA1
4d7b23d096d741e3839c4984bed8c19dece3ba00

SHA256
860f1ab415fd60248837c9b0a465ad395d850861bab988a18adeee31103ff1c2

SHA512
e2283519ced4d0a6c1823df1e6fbede499218fdb849610ddcda8e3fcbd2b3e6bb8e444420a3d81dc6b83e5747dadf0bf2cbce3fb328dee8e844a5a1427e9501a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
753774e6568e308e2e31f2feeb1170b4

SHA1
4a79a977f3a989ce8115d1b1037dad33f8a7b9a0

SHA256
9f5346e260edcf19ef4f8ea843fc1e597a2556bffa8fd25cd76db7e423ea0687

SHA512
b5f498c526094ae6e58ee2b6ba3446e45520c2b305788216dbe21cf43905478603b52eda219d964b11ba3b1e31d0d9640e3b26c6de4e49e4f8202969798caca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
04fce8d01d934f850d8533409f2e7915

SHA1
457094122d76a8a9e7885926a24a1ab70ceae46d

SHA256
4cc1d7334bce3a8b9970fa6a4b9090a602a8c13c064264ef597ab1b24f8948ea

SHA512
b1a1ec592829c6e33c26a35697612f56bc9cdd88b6d41a3ce1e463a4f648789a36125ec8506d5696f7a96d894ce5d22fab98fd3d491220d5a15af3db28decd55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bab1924163d7f99215cb0ea4b14cd8a5

SHA1
04fc33f7066582e83e90b601c79c908ea7f78f81

SHA256
12bf338af3c153289c5bf7bb5023ea147fddd3fcb1d0c6b74304469675da6c0d

SHA512
f869a0c5f7e7a31e65fc8ded012f47d07d92480c4f68b69ed11496d22009bb890a5c6e6b1ef8087e191b103ed59a2a0ef726a1cf25e10a652a9f1c9546d6716c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
146467cb239f92d8756e6bf753106f41

SHA1
c2524aad301f3a598042421f63f37a5bf935b4ed

SHA256
f1c372da8e27addb4b0deac6a4cafc0921bdc209f2671657180e09c0c4876696

SHA512
697ee9518a16e81fc5c16e324e6f5266465fa3ee867f78562e023521bdc2f21718ede8b2943514062adc144d61c22e706c64f99dc62954ca11c1c46255f0d8b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
35b2ff78cfa739e813758912590efe73

SHA1
905f4d8de878f17d5a39e4a85213935345679821

SHA256
ea184e69d9b56d1b53bee6a2a854af3e3ad9a62195ea89adf08e15dba65e57c4

SHA512
a6e89bb3aa68da68e00f04fa144415e7541245c2d75a1facc14bc6159c251a8c1f7681ac7805b415b32a32caf11f116e249e40b98fadf37dedf001da7e0ea3f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1cc4eca9f6bdc19d36e5bb0a9405d23f

SHA1
0dedfd45d8ac5b99e5eb6bac58d2c49bb4d97191

SHA256
c5478d4e2fbaf00602708e6f97898e75f2a4c7f4e5be502716110c73a1817a8d

SHA512
b125b654098e6e58277eaaf16fe249c63798aff2235d9070a021e27a0773459d16f65ca4796756f06358dab92452bd0c2548b7e87e6f90a8290b9a695f43c26f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
aee458a3ff67d7f91bfa5ada17cb2c90

SHA1
a0628679a6fe4d9e235693e2bc79cd05c9db4267

SHA256
2b4369746df735e862ba005ed3a3450c454f40f88ec985ecc57d74f5fc1c861d

SHA512
19c4977fee6ee23d90b4dccf9564b9852242c633abc0c96b425dd27c842d6d334d28bbff62ae4a320a54b729379c190aabe90b5bafe561e4d0e27d456df839b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
237KB

MD5
90b453482a8698f412d6b3534ace0d6f

SHA1
7bffaa84aee5aef5827b0de5f6ad92d128fae2be

SHA256
b87ce8c026d5d379791fae070883627f26ae8306fc53fe7b7aef1505dbc76071

SHA512
614712eb046e2970d25682e57836fe38b80f6ff76f7d60198bf4c4dbc1865ad54130d5150472e587e940011fa96446179a569b3e5f706babf0fe200bbecabae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
237KB

MD5
c6ad5f70cbf70a78f9bd889aa2690f5d

SHA1
8753b24b02bbb89388cab4b4321bd2ba546e6813

SHA256
5fb5f5c88ec80ca4a991355a920da362bdafa014eda15eea939541ce9339137a

SHA512
82aa73adfdfa78e6d7ceccaa73d239449e09c77b52f340e01327b8e25053752fce72301025350903f9d37ad087b4e8fdbddcf64dbc1c6127560b6915737d48fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\minecrafttexturepackinstaller.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
964219fcbf4c1e0008bc5e05686367a9

SHA1
685a0b860afbfd43305bc67763e41b296a22ba8b

SHA256
4f4388ce8c3055db4827ad4b6d7d6ffc7bead99955a3fbe44ab3a5454651ae25

SHA512
2745f64b2bd54740a5c1f754785c39eeda9b6b5112707cc8630ba188638442de7c636446f750aeb340905d9da26f96ee4e7f7c96e2b690058ce29d7b6efe8c16

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1301a13a0b62ba61652cdbf2d61f80fa

SHA1
1911d1f0d097e8f5275a29e17b0bcef305df1d9e

SHA256
7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

SHA512
66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LIq0ZXrzSqc.bat

Filesize
230B

MD5
af69e6934232ba796e6c40196a05bd19

SHA1
a5d84b0b377e0742bbe7182b803420ac4330119d

SHA256
d60ee675fbca97f2710d29a245e786d3ae5f2d71b85921275603869fb11a6b9c

SHA512
f0a818f8af09502d4d55aa121c6b40d89de871caa6f8ed3ee8e18359fa38aba582e5cc4a186e309afb7d1b01008013640885ba8eafb8c58a630c8ac4dc745ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gMC0wqUbObq.bat

Filesize
230B

MD5
3becce6937df143b46e083bb90fce29c

SHA1
cde531827d08830e9737ce554cec618e4f93e462

SHA256
60626a3130f8cdaf61cb41d499ac686528d9cf81167d6e9af4abe2e2e7ea0676

SHA512
a96027712965efee296e0f38d0e73dc409af24c18036b245e0474f989b73af9c039857b3f3755802e6047708b7c60352b987ab5fae121069de98d79f4898e2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3V0oiUw8YG3w.bat

Filesize
230B

MD5
7fdd8da8376380a4d5d6f5262d6d8e82

SHA1
3d466acddbd8b2c4d0c5bf3725f3de8766bb489d

SHA256
75f67828d3b1ec9c4e095d06bc7c152841ac8c5054044518c0fc93741bcaf767

SHA512
21ffc1720006c151d85f9356edce68c8ccdfc4c8ccba1e94c8773ccd40cf16419cf58ce8e5e88b7a216456994ef7e21e1ae5859048c3dc74b5220d97d6a59ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8R4A8XcVW9P1.bat

Filesize
230B

MD5
4cde5feef7971162b9b807930e9e36b7

SHA1
affa5a043c42646dbc445dc55c5e17b87d5aaa77

SHA256
125067fd4294a349312788b46dd0f6913f815201e2b57a390a0ca96b33d5fff4

SHA512
564820d7b3188b95d59bc5f856b0ca0a73e16956c547373e898252a371f2c3effbfe6fcbd4b8ff41fabdce63926926dbf6f7044d450103f48a920bda88d7dab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CI6SIqktqPJW.bat

Filesize
230B

MD5
99e998f809de24f71fbb41ebf9305124

SHA1
aab1117add4d600ddfc2a543f20478713e73cee1

SHA256
91e48d58eaf8a690466877b339ad9e4de9d38238e76fb366c0fc3135a622ed06

SHA512
d42d89e711fa17c4c63f4e58fce7a2e65b64e6541cec0390c611c674c07a7ad52b809b1b036395fea85599f5f2ec1e812bc880ecf3887c34b2f9a4c2f603c91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\M0LQ9TlViYPN.bat

Filesize
230B

MD5
ec4425718d57c5da8880454af96d6515

SHA1
c27265bea3e402aa611c9af6ced64886f8ac7b09

SHA256
85e79520486cda71bc6e67b0bcb5c13994aae992e3749b4baeb7a7ae290f9ec7

SHA512
676e9062d8a9495d4000f73baac7c497a4038d8f6fa2bc351281810029402335af3eb3284f5330e5c3e2b432902291ffc2fcb0966b98a36497ef723504af6c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\NmLhorWdVsNu.bat

Filesize
230B

MD5
d5cac99a355ad018d5cab5ff3fe9db0f

SHA1
ce31e1f5596df3bfb31a331c4fad7b4cd8c43819

SHA256
1c2c628f9d1d4e01e3a87c556bcb9a44de30f5cb0a343434aa1cd65ce212d741

SHA512
832f6cf994aa8d53a690f3805151f322e1db99bb09c008f05e10e6dc1aeacf2b22ff4a1d91f370964eac43f388916eb00168ab87f9eb53ddda41d7a7743619b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pnjt3NYOcfTv.bat

Filesize
230B

MD5
ffe5c46ff7cf98bbd3e19e48c4c66676

SHA1
28d1996e8782221da1c15e3abc38960c61a66677

SHA256
8dbeb2be8d4c4ef9d9e1990bf69e85a10a88eed424f72d3446761fd30cf0f2c2

SHA512
83db8898e7d9808369d57b08410faa17ae87c22adff546d96be5309adfdebb6c2df4ee713e3552497846e169e7bf4ff94311f88e147560f359229a925756423d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YBMyOpzRoxIV.bat

Filesize
230B

MD5
f5a83ec88a1ab42e73afd3887dcc7aff

SHA1
3b6587cd6af670610916898ff3a46545029b7652

SHA256
798cc9d36debfd73ac9b3d27b9297144526f8e901cfd7b688b2ba382f9c45122

SHA512
745c053017e7d4df4877d6db91bbdbcbce86971b5f589d6345d97f0e8c7e623ab949230b7c450f83f923faa8c06fa96047568d495a579d4358213232b241c5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsgXpPeXaWpE.bat

Filesize
230B

MD5
74828ca34ae1e7ce38222511a094225b

SHA1
6da90e86a668623a756d3539ddb697ee9246406e

SHA256
66f5ee58b40f8a9cab76ff446724d74b1eb745e9d2573fe16ce63526d12bec14

SHA512
afcd9e439f13ebd87867ebd4f1c240dc063c28dcced7eb1a939f78f598b112f261c7056f044a1668ee63e34cd3c1eb6a96db6697bbe32b073344d66701b91eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pD4RaBCbZL9g.bat

Filesize
230B

MD5
797a298e04a45666f9c85ee7856fca13

SHA1
8be83b2f2f47d0a4b659ac6b0c85192abaf749d4

SHA256
2c73ef0a7369b62b481ea3d7fcdddb239f9c4fa40343d916846752d40c79622e

SHA512
d73332401143f81fa3622e59b772c3b7f573b7ca0a9a7e6a352bac479d21e499aa347e4b60f8a62e3edf610e8b4ff38df720706da88e6c4e9d8ac430ca3ab676

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8vusmfjAQra.bat

Filesize
230B

MD5
0e64270ade0419afaae2b8b538a25590

SHA1
e56ced01b9ad40aa657e7e0e5212d47fea60c053

SHA256
cdcb7d34fd6215e4bd1aeb29142b66aad3f01a32214e8f6e476c912f03811e96

SHA512
bef28e6d1558cd3e5d800289e50fe6640c65fef028316c2ecef4b49daa834405441ffb08585ce60e0a06ba297b1177525460acd5b650ffe118dfb469bdb42e5a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\minecrafttexturepackinstaller.exe

Filesize
3.1MB

MD5
5e738b824f8fbf566922398d08f81911

SHA1
8da82c5bb9dd7dc27782e727bf80c8769c8c82d8

SHA256
c0dc1f716da2f042e2e3db7bbd10fc1a422ab9d6313fca58f402caa6ce2e09e0

SHA512
c8749a49652789a5cc27232787839dc8672aa7ae59f9c8079e3d75914b34ec045b5b2c9a7348036bb0c559761dcca6547a6066a8edac7d95406de2e8f42f75cd

Download Submit
memory/1508-108-0x00007FF814460000-0x00007FF814470000-memory.dmp

Filesize
64KB

Download
memory/1508-107-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/1508-104-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/1508-105-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/1508-106-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/1508-103-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/1508-109-0x00007FF814460000-0x00007FF814470000-memory.dmp

Filesize
64KB

Download
memory/4780-10-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/4780-0-0x00007FF834CF3000-0x00007FF834CF5000-memory.dmp

Filesize
8KB

Download
memory/4780-1-0x0000000000650000-0x0000000000974000-memory.dmp

Filesize
3.1MB

Download
memory/4780-2-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/4968-19-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/4968-12-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/4968-13-0x000000001CB00000-0x000000001CB50000-memory.dmp

Filesize
320KB

Download
memory/4968-11-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/4968-14-0x000000001CC10000-0x000000001CCC2000-memory.dmp

Filesize
712KB

Download
memory/4968-15-0x000000001D300000-0x000000001D828000-memory.dmp

Filesize
5.2MB

Download